> Dave, > It appears that my take on this was really off, thank you for > your explanation, what I am trying to do > is to create a utility like ssltap that will allow me the ability > to pull decrypted data out of a > connection between a browser and Apache. So it appears I need to > build some kind of proxy that > will sit between the two endpoints and take an encrypted stream > in (let the session decode it) > then (let the session encode it) write that back out to the > original recipient? > > Am I getting warmer on this?
That may or may not be possible. Here's the problem: When an SSL session is established, a shared secret is negotiated. Neither side has full control over this shared secret. Alice does not choose it. Bob does not choose it. But SSL is such that they wind up with the same one. So if instead of Alice talking to Bob, Alice talks to you and you talk to Bob, you have two choices: 1) Transparent: You can leave the shared secret establishment alone. In this case, you won't know the shared secret (but Alice and Bob will). How will you decrypt the session data? 2) Active: You can participate in the shared secret establishment. In this case, Alice and Bob will wind up with different shared secrets, and you will know both of them. But what if Alice signs her shared secret and sends it to Bob? Bob is expecting to receive his shared secret signed by Alice (since Bob expects Alice and Bob's shared secrets to be the same, but you made them not be.) How will you replace that with Bob's shared secret signed by Alice? How will you present the client with a certificate it trusts? In short, for most protocols (HTTPS), you will need the server's key or a wildcard certificate that the client trusts. For some protocols (those that do MITM rejection beyond just checking the server certificate), even that will not be enough. What is your outer problem? Why do you need to do this? If you have a legitimate need, there's probably a way to do it. If it's "I want to steal people's credit card numbers when they send them to Amazon", then there is no way, by design. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
