[EMAIL PROTECTED] writes:
> On 10 Jan, Itay Zandbank wrote:
>
> > However, Lutz's comment from before was correct. It's hard to do it for
> > EVERY protocol, since some protocols require the server to speak first. It
> > might even be impossible, because OpenSSL might actually SEND something to
> > the client before realizing this isn't an SSL connection.
> A solution my be using OpenSSL as a state machine. Have a look at
> demos/state_machine or demos/tunala (currently only in the CVS
> repository). With this technic you have the data from the socket in a
> buffer where you can inspect it, if it is encrypted or not. Then you
> process it normal, if it is unencrypted. Or you have to feed it to
> OpenSSL via memory BIOs, if it is encrypted.
This only works if you understand what the protocol is that is the
alternative to SSL.
Imagine that the alternatives are SSL and some protocol that we'll call X.
Now, X is designed so that the first X message looks exactly like part
of an SSLv3 ClientHello. So, when you read the first packet off the wire,
it might contain a full X PDU or it might contain only part of an SSLv3
PDU with more to come. Which is it? We don't know and there's no good way to
determine.
Now, certain protocols DON'T have this property. For instance, it's possible
to distinguish between SSLv2 and SSLv3 PDUs. If you're dealing with such a
protocol, you might have a fighting chance at doijng what you describe.
-Ekr
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
