On Fri, 2003-11-07 at 21:45, Lutz Jaenicke wrote: > When you are using s_client, you will most likely negotiate an EDH cipher > that cannot be decrypted with ssldump. Use > openssl -s_client -ciphers RC4-MD5 ... > to generate "decryptable" sessions...
Ah - thank you - that makes total sense (and also allows me to see it working :-). It's just that I see people who keep mentioning ssldump as some magic tool that will allow you to decrypt all that traffic going to your SSL-protected application. Whereas the reality is that will only work if a static RSA cipher such as RC4-MD5 is negotiated during SSL setup. So you really have to force your SSL server to exclusively support such ciphers to be able to reliably decrypt SSL traffic, and yet they are not the most secure of options available. So in reality, even having access to the server certificate(s) doesn't allow you to decrypt SSL traffic except when you go out of your way to force the app to use a less secure crypto option. Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
