The need to "get out of the way" does not come about because of CPU cycles, but
because some applications fail through an SSL proxy: they can't handle resigned
certs because they offer no way to import a trusted CA. So, we allow exceptions
for them.
The thing is, we want to establish exceptions on the basis of the domain name
provided by the server cert, so we'd like to decide whether to proxy or not
once the certificate is received.
-----Original Message-----
From: owner-openssl-us...@openssl.org on behalf of Victor Duchovni
Sent: Sat 8/29/2009 7:16 AM
To: openssl-users@openssl.org
Subject: Re: Can I set the client hello challenge externally?
On Sat, Aug 29, 2009 at 12:09:18AM -0700, Rene Hollan wrote:
>
> Right, that's what I figured. Trouble is, if I chose TO proxy, they I
> must have my peer to the remote server act as if it sent the same client
> hello so as to have the same challenge bytes. AFAIK, there is no openssl
> mechanism to set this prior to sending a client hello.
OpenSSL is not intended to be a toolkit for writing MITM proxies
(that may be) able to get out of the way (stop decrypting and re-encrypting
and just act as a TCP proxy) of kRSA sessions.
Why the need to step down to "TCP proxy"? Are CPU cycles too scarce to
encrypt at wire rates?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
