Hi I have got a query to make here. So if I know the private key(permanant) of the server is it possible to decrypt the SSL traffic?
On Thu, Sep 25, 2008 at 7:47 AM, David Schwartz <[EMAIL PROTECTED]>wrote: > > > Dave,All > > I would also like to be able to recreate a "session" by > > recording (i.e with TCPDump -w) and playing the databack > > Through the proxy? If I understand the remarks below that might > > not be possible? > > > > Thanks > > Ed > > It may or may not be possible, depending on many factors. At a minimum, you > need the key used by the server. > > Some algorithms SSL might use, and applications on top of SSL might use, > make it impossible for a non-participant to decrypt the data, even if they > have all previously-created keys. > > For example, consider (grossly simplified): > 1) Server creates a temporary RSA public/private key pair. > 2) Server signs public key from the temporary RSA key with its normal > permanent RSA private key. > 3) Server sends temporary public key, signature, and real CA certificate to > client. > 4) Client verifies signature and certificate, decrypts public temporary RSA > key. > 5) Client sends something encrypted with the public temporary RSA key. > 6) Server decrypts it with the temporary RSA private key. > > Now, analyzing this later, you would need the temporary RSA key created in > step 1 to decrypt the data sent to the client. If that data was part of the > symettric key used to protect the session, you are (by design) screwed. > > Again, what is your outer problem? If it's legitimate, there's probably a > way to do it. But there is, by intentional design, no generic way to do > this. > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
