Hi Eric, Thanks for taking the time to reply to my little problem yesterday.
I'm not sure what you are trying to tell me about ssldump. SSLdump is an interface sniffer, not a proxy - right ? It puts the ethernet card into promiscuous mode and copies all the packets on an interface and does it things with them, but the packets carry on untouched - is that correct ? In that case I need the remote private key ( which I don't have ) , am I correct ? Am I seriously misunderstanding ssldump ? Consider the site www.directline.com - I want to see the decrypted browser requests. ( also many other car insurance sites. ) All the stuff I want to do is heavy commercial sites, I could do it by hand from the html and java script, but there are a lot of sites I need to be able to snoop. If I proxy the request via my linux box, then I do have all the keys I need, but I suppose that Net::SSLeay.pm is better than ssldump for that - and its the failure of Net::SSLeay::read() that is at the root of all my problems with ssl at the moment. I bet you have already worked out what I'm trying to do ultimately - I've already done one car insurance site ( not ssl ), there are 4 more that I need initially for the UK market, but they are all https , hence the need not just to snoop https, but to do so in a controlled and programmatic way and lots of it. At this rate I'm going to have to buy your book. Cheers Simon Clewer [EMAIL PROTECTED] ----- Original Message ----- From: Eric Rescorla <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, March 25, 2002 10:27 PM Subject: Re: > "POP account for superquote.co.uk" <[EMAIL PROTECTED]> writes: > > Ha, I am sure you are correct, I'm trying to snoop so tunnelling is no good > > to me, hence I think in terms of the proxy masquerading as a secure server > > to the client and a secure client to the remote server. > It's quite possible to do this but you need to convince the client > to accept the certificate of your proxy. Essentially, the proxy > pretends to tunnel but really accepts the SSL connection. > > > I could be rude and say "go and get a girlfriend instead of reading rfcs", > > but I've got rfc 2616 on my desk and I actually used it just a few days ago > > to solve a problem. ( we're big into conditional websucking here ). > That would be especially rude, since I referred you to the RFC in > the process of trying to help you. > > > > If all you want to do is sniff, why not just use ssldump > > Cos I want the transaction to continue on to the remote server . > I don't see the relevance of this. ssldump is completely passive. > You simply turn it on with the appropriate filters and do your > thing. It will capture the entire tranasaction. > > > It's true that I could use ssldump and bodge it somehow, but I want ( need ) > > programmatic control throughout. I want to run through a motor insurance > > website quote engine ( 10 pages, 30 questions !! ), and dump the entire > > transaction into a text file just for programmers to look at, so that we can > > reproduce what the browser sent to the site. > I don't understand why you think that it's a problem to do this with > ssldump. ssldump captures the plaintext. In the worst case you'd > simply need some perl filter to strip everything but the plaintext. > > > Do you then, perchance, know why I am having difficulties snooping an https > > request from IE6 on a local windows client ( proxied via a linux box which > > is running the https-proxy-sniff utility from Net_SSLeay.pm ) ? > No idea. > > -Ekr > > -- > [Eric Rescorla [EMAIL PROTECTED]] > http://www.rtfm.com/ > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
