How to passively obtain the server certificate from a TLS connection

Sun, 04 Apr 2010 12:59:54 -0700 

    Hello all!

    (I'm a new member of this mailing list, so if the answer to my
question is already somewhere in the archives please point me there.)
    (I've done some searching and couldn't find anything useful.)

    In the context of the Perspectives project (
http://www.cs.cmu.edu/~perspectives ) (the Perspectives developers
mailing list is also put in CC, so please keep them there) I want to
implement an HTTPS proxy server that does the following:
    * when it receives the CONNECT request it connects to the
designated target, but,
    * it monitors the connection (thus "sniffing" the connection) in
order to obtain the SSL certificate that the server uses;
    * it compares the SSL certificate fingerprint to those reported by
the notary servers (part of the Perspectives project infrastructure),
and
    * if the fingerprints match I stop "sniffing" the connection and
just continue proxying;
    * if the fingerprints don't match I just drop the connection;

    So my problem is the following: how can I extract the SSL
certificate from the connection without reimplementing the TLS
protocol?

    For example I assume that there is a method (which I'm not aware
of and want to find it), in which I just feed the data that comes from
the server to the client (ignoring the other channel of the
connection), into a parser, which at the end will spit out the
certificate (or at least decode the TLS packets as they fly by).
    (I bet that there are functions in the openssl library, but it's
hard to spot them in the reference documentation.)

    And a second question (related to security): I guess that there is
no way to trick my proxy by switching to another certificate once the
first one was already sent? For example I guess there is no way in
which the server can re-initiate the TLS handshake (reusing the same
connection) by using another certificate than the one previously sent.

    Thanks for your support,
    Ciprian.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to