On Wed September 24 2008, Ed Wolfram wrote: > Dave, > It appears that my take on this was really off, thank you for your > explanation, what I am trying to do > is to create a utility like ssltap that will allow me the ability to pull > decrypted data out of a > connection between a browser and Apache. So it appears I need to build some > kind of proxy that > will sit between the two endpoints and take an encrypted stream in (let the > session decode it) > then (let the session encode it) write that back out to the original > recipient? > > Am I getting warmer on this? >
That is what is called a "man in the middle attack" - much easier if you happen to have the keys. The 'net can tell you all about it. Mike > Thanks > Ed > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz > Sent: Wednesday, September 24, 2008 7:12 PM > To: openssl-users@openssl.org > Subject: RE: Using a memory BIO to decrypt a SSL Stream > > > > I am trying to use a memory BIO to decrypt data > > from a TCP stream I am processing, > > I have followed the following steps and for some reason > > I am still not able to get the > > SSL_READ function to return anything but -1? > > I have looked at the archives and it > > appears that this method has worked for others ? > > > So I am guessing I am missing something > > Simple (Hoping more like it J > > >SSL_library_init() > >SSL_load_error_strings() > >meth =SSLv23_method() > >ctx = SSL_CTX_new(meth) > >ssl = SSL_new(ctx) > >SSL_CTX_use_PrivateKey_file() <- Returns 1 from what I can tell is > success(PEM) > >SSL_CTX_use_certificate_file() <- Returns 1 from what I can tell is success > (PEM) > >memBIO = BIO_new(BIO_s_mem()) > >BIO_write(memBIO, data, datasize) > >SSL_set_bio(ssl, memBIO, memBIO) > >SSL_read(); > > I guess I don't understand what you're trying to do. Are you trying to make > an SSL session or are you trying to decrypt some static data? > > It looks to me like you may have a fundamental misunderstanding of what SSL > does. Is your thinking something like this: > > "I create an SSL session. Then I'll hand it some plaintext, it will encrypt > it, and I'll send that to the server. When I get some encrypted data back, > I'll give it to the SSL session, it will decrypt it, and give me that." > > If so, no. SSL is not a stream cipher or a block encryption/decryption > engine. > > You need to think like this: > > "I create an SSL session. Sometimes it will give me data to send to the > server, and I'll hand that data to the server. If I get any data from the > socket, I'll give that to the SSL session. If I have any data I want to > encrypt and send, I'll give it to the SSL session. If it has any plaintext > for me, I'll process it." > > Because you might receive a partial record, from which SSL_read can't return > anything. And SSL_write might need to read some data from the SSL connection > in order to complete negotiation. Or a million things might happen. > > Also, SSL is an active process. You cannot reconstruct a stored SSL session > the same way you run one end of a connection. (It's not clear whether that's > what you're trying to do. Where did you 'data' and 'datasize' come from?) > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.524 / Virus Database: 270.7.1/1688 - Release Date: 9/24/2008 > 6:29 AM > > > No virus found in this outgoing message. > Checked by AVG. > Version: 7.5.524 / Virus Database: 270.7.1/1688 - Release Date: 9/24/2008 > 6:29 AM > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
