> On Mon, May 17, 2004, David Schwartz wrote:
> Replacing the other sides public keys is prevented by correctly
> verifying the
> certificate chains of each side, so additional MITM proection is normally
> unnecessary.
That doesn't check what I want to check. I specifically need to confirm
that the two ends are ends of the same SSL connection. I have a situation
where there is no third party that either side trusts.
> The exception to this is the few unauthenticated cipher suites such as
> anonymous DH which don't use certificates but those are disabled
> by default.
Others have also suggested an HMAC on the contents, but this won't tell me
the link is correct until after I've sent all my data (potentially to a
MITM!).
Again, here's the situation -- I have two software entities that have a
shared secret, they also each have an end of an SSL connection. What I want
to determine is whether they are ends of the same SSL connection. So what I
need to do is determine some MITM-proof SSL session parameters and confirm
them with the shared secret.
Or, to put it another way, imagine you and I are on the phone and also have
a network connection. This network connection may or may not have a MITM on
it. We have OpenSSL and form an SSL connection. Now, can we determine
whether or not we have a MITM who could decrypt or tamper with the data?
Can I extract the symmetric cipher's secret and use that? Could a MITM
choose that secret? (I don't know if the connection initiator or the
connection acceptor chooses the secret. Ideally, neither side could
completely control it, but I don't know enough about the SSL internals.)
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
