Hello again!
I've sent the email below one week ago to this mailing list
(OpenSSL), and so far nobody replied... So my guess is that either
I've asked a very stupid question, or? (The email was delivered as
I've looked over the archives.)
Thanks again,
Ciprian.
On Sun, Apr 4, 2010 at 10:56 PM, Ciprian Dorin, Craciun
<ciprian.crac...@gmail.com> wrote:
> Hello all!
>
> (I'm a new member of this mailing list, so if the answer to my
> question is already somewhere in the archives please point me there.)
> (I've done some searching and couldn't find anything useful.)
>
> In the context of the Perspectives project (
> http://www.cs.cmu.edu/~perspectives ) (the Perspectives developers
> mailing list is also put in CC, so please keep them there) I want to
> implement an HTTPS proxy server that does the following:
> * when it receives the CONNECT request it connects to the
> designated target, but,
> * it monitors the connection (thus "sniffing" the connection) in
> order to obtain the SSL certificate that the server uses;
> * it compares the SSL certificate fingerprint to those reported by
> the notary servers (part of the Perspectives project infrastructure),
> and
> * if the fingerprints match I stop "sniffing" the connection and
> just continue proxying;
> * if the fingerprints don't match I just drop the connection;
>
> So my problem is the following: how can I extract the SSL
> certificate from the connection without reimplementing the TLS
> protocol?
>
> For example I assume that there is a method (which I'm not aware
> of and want to find it), in which I just feed the data that comes from
> the server to the client (ignoring the other channel of the
> connection), into a parser, which at the end will spit out the
> certificate (or at least decode the TLS packets as they fly by).
> (I bet that there are functions in the openssl library, but it's
> hard to spot them in the reference documentation.)
>
> And a second question (related to security): I guess that there is
> no way to trick my proxy by switching to another certificate once the
> first one was already sent? For example I guess there is no way in
> which the server can re-initiate the TLS handshake (reusing the same
> connection) by using another certificate than the one previously sent.
>
> Thanks for your support,
> Ciprian.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
