Hi all,
I need to build a scenario of detecting incorrect cypher suite of TLS
connection.
The plan is to modify from a good TLS server, to encrypt data in a different
cypher method from client request in handshake phase. However, as openssl
encapsulated the implementation, I wonder if there's any API to achieve
that? or I need to copy and modify codes from OpenSSL?
I also have additional question about SSL error. I tried four cases:
1. There's no valid physical conection
2. Physical connection valid, but no TLS server running
3. TLS server is busy occupied by another connection
4. TLS server free, but responding incorrectly (as the scenario described in
the beginning)
Is there any way to differticate these cases, especially case 4? I made
tests to case 1-3 and results are:
1. BIO_do_connect returns SSL_ERROR_SYSCALL, but error statck empty
2. BIO_do_connect returns SSL_ERROR_SYSCALL, and 2 error in error stack:
1. system library:connect:No route to host
2. system library:connect:No route to host
3. BIO_do_connect returns SSL_ERROR_ZERO_RETURN, and 1 error in error
stack:
1. SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Do I need to differentiate them according to the errors, or there's a better
way? What error is expected for case 4? Actually what I really care about is
to detect case 4, so that's why I want to build such malfunctioning server.
Any help or opinion is appreciated. Thank you all.
Peter
