On 7/02/2013 7:11 p.m., Viktor Dukhovni wrote:
On Thu, Feb 07, 2013 at 11:12:13AM +1300, T J wrote:
Sorry to keep hammering away at this, but I think I am missing
something here.
OpenSSL does all this for a TLS connection anyway right? I mean,
after a handshake, encryption keys, IV's etc are generated so that
the TLS connection can use them for encrypting/decrypting data.
Surely I shouldn't have to reinvent the wheel and do what OpenSSL
already does...
All I want to do is get those keys, after the connection has been
established and use them directly in my own app instead of using the
SSL connection normally. Isn't there something like
ssl->s3->final_key ?
It is bad practice to clone keys. You should also not depend on
OpenSSL negotiating a particular algorithm. OpenSSL's key are
for the OpenSSL session only. Keys for your application should
be the result of a suitably independent KDF.
Well I wouldn't be cloning keys if I'm not using the OpenSSL session.
Once keys have been negotiated, I intend to immediately close the
connection and only reuse the session if I need a new key. I'll also
make sure both server and client only use one algorithm. This is not
your typical internet based client/public server senario. I just need a
certificate based authenticated key which SSL/TLS can provide.
From what I understand so far, the "KeyBlock" is the place to look for
the key? It's just a matter of getting the sizes and order of the
individual Keys and IV's so that I can extract the bits I need. Any
pointers in that area?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
