On Sun, Nov 19, 2000 at 11:33:18PM -0500, Jeffrey Altman wrote:
> >
> > Can I send data to a client via normal send() call before I call =
> > SSL_Accept? I would like to send a message to my client that identifies =
> > the server and it's options, like if SSL is being used or not? Will this =
> > mess up the SSL handshake ?
> >
>
> You will need to ensure that you synchronize the peers and clear the
> data channel prior to beginning the SSL/TLS handshake.
>
> There is a security concern that you must be aware of. Since
> everything that is being sent over the wire prior to the use of
> SSL/TLS is in plaintext, it can be tampered with. Therefore, you
> can't trust its contents. You absolutely should not use the contents
> of the plaintext data to determine if you should negotiate SSL/TLS.
For an example on how to use this method (cleartext first, then switch
to TLS mode), check out e.g. RFC2487 describing SMTP over TLS.
You especially don't want to identify the server (as described in the
original mail) but follow Jeffrey's advice and don't trust anything
sent in the clear. The identification is handled inside the TLS handshake
using cryptographically secured certificates (the certificate stuff inside
TLS is as important as the encryption stuff).
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
