> Hello,
>
> is there a way to ascertain that the data I am BIO-putting to an
> HTTPS server
> are actually encrypted, apart from watching the data flows from my openssl
> application to the server, using tcpdump?
>
> Thanks.
My classic answer to this question is "what is your threat model". Or, to
put it another way, what do you imagine might prevent this from happening?
The best answer I can think of right now is to query the SSL connection for
the number of bits its encryption scheme is using. For example (off the top
of my head, untested):
int IsEncrypted(SSL *ssl)
{
int bits;
if(ssl==NULL)
return -1;
if(!SSL_is_init_finished(ssl))
return -2;
SSL_CIPHER *c=SSL_get_current_cipher(ssl);
if(c==NULL) return 0;
if(SSL_CIPHER_get_bits(s, &bits)<40)
return 0;
if(bits<40) return 0;
return 1;
}
A negative return value indicates some kind of problem. -2 means you called
the function too early, before it is possible to know what encryption is
going to be used. 0 means encryption is not right. 1 indicates everything is
fine.
Note that you need to operate on the SSL connection. To ensure the bio you
are operating on is associated with the SSL connection you checked, you
should probably use SSL_get_[r|w]bio to make sure you have the right bio.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
