Dave,All I would also like to be able to recreate a "session" by recording (i.e with TCPDump -w) and playing the databack Through the proxy? If I understand the remarks below that might not be possible?
Thanks Ed -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Wolfram Sent: Wednesday, September 24, 2008 7:40 PM To: openssl-users@openssl.org Subject: RE: Using a memory BIO to decrypt a SSL Stream Dave, It appears that my take on this was really off, thank you for your explanation, what I am trying to do is to create a utility like ssltap that will allow me the ability to pull decrypted data out of a connection between a browser and Apache. So it appears I need to build some kind of proxy that will sit between the two endpoints and take an encrypted stream in (let the session decode it) then (let the session encode it) write that back out to the original recipient? Am I getting warmer on this? Thanks Ed -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Wednesday, September 24, 2008 7:12 PM To: openssl-users@openssl.org Subject: RE: Using a memory BIO to decrypt a SSL Stream > I am trying to use a memory BIO to decrypt data > from a TCP stream I am processing, > I have followed the following steps and for some reason > I am still not able to get the > SSL_READ function to return anything but -1? > I have looked at the archives and it > appears that this method has worked for others ? > So I am guessing I am missing something > Simple (Hoping more like it J >SSL_library_init() >SSL_load_error_strings() >meth =SSLv23_method() >ctx = SSL_CTX_new(meth) >ssl = SSL_new(ctx) >SSL_CTX_use_PrivateKey_file() <- Returns 1 from what I can tell is success(PEM) >SSL_CTX_use_certificate_file() <- Returns 1 from what I can tell is success (PEM) >memBIO = BIO_new(BIO_s_mem()) >BIO_write(memBIO, data, datasize) >SSL_set_bio(ssl, memBIO, memBIO) >SSL_read(); I guess I don't understand what you're trying to do. Are you trying to make an SSL session or are you trying to decrypt some static data? It looks to me like you may have a fundamental misunderstanding of what SSL does. Is your thinking something like this: "I create an SSL session. Then I'll hand it some plaintext, it will encrypt it, and I'll send that to the server. When I get some encrypted data back, I'll give it to the SSL session, it will decrypt it, and give me that." If so, no. SSL is not a stream cipher or a block encryption/decryption engine. You need to think like this: "I create an SSL session. Sometimes it will give me data to send to the server, and I'll hand that data to the server. If I get any data from the socket, I'll give that to the SSL session. If I have any data I want to encrypt and send, I'll give it to the SSL session. If it has any plaintext for me, I'll process it." Because you might receive a partial record, from which SSL_read can't return anything. And SSL_write might need to read some data from the SSL connection in order to complete negotiation. Or a million things might happen. Also, SSL is an active process. You cannot reconstruct a stored SSL session the same way you run one end of a connection. (It's not clear whether that's what you're trying to do. Where did you 'data' and 'datasize' come from?) DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 270.7.1/1688 - Release Date: 9/24/2008 6:29 AM No virus found in this outgoing message. Checked by AVG. Version: 7.5.524 / Virus Database: 270.7.1/1688 - Release Date: 9/24/2008 6:29 AM ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 270.7.1/1688 - Release Date: 9/24/2008 6:29 AM No virus found in this outgoing message. Checked by AVG. Version: 7.5.524 / Virus Database: 270.7.1/1688 - Release Date: 9/24/2008 6:29 AM ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
