>From: owner-openssl-us...@openssl.org On Behalf Of David Hinkle >Sent: Wednesday, 19 December, 2012 14:07
>I have a system where I want to selectively man in the middle >some SSL connections. My proxy server currently has the capability >to man in the middle all connections using openssl, or simply >extract the server names from the client hellos. >What I'd like to do is use my code to parse the client hello, >and from there decide if I want to engage the openssl library >on the connection. Any recommendations for how I can stuff >the client hello that I've previously read into the SSL object >so that when I call SSL_accept everything is cool? Don't try to do things to the SSL object; that changes with impementation and protocol changes. Effectively you would have to reimplement and maintain the SSL_* logic that handles ClientHello. Your subject indicates BIO and I believe that's the correct answer. 1- write your own BIO which answers the first read(s) with your "pushback" data then subsequent reads from the socket, and give that BIO to SSL_* to use (at least for read-side). I'd expect it's easier to make this a filter-BIO on top of existing socket-BIO, or you could clone socket-BIO and modify. 2- perhaps simpler if your app is multithreaded, and I'll guess a proxy server probably is: have a thread (new or existing) which sends the pushback data then (reads and) sends all remaining data from the socket over a BIO-pair whose other end is read by SSL_*. Note that this is more like what you need to do in the non-MITM proxy case. In both cases it's probably less confusing, but I believe not required, to handle the data sent to this socket from SSL_ using the same mechanism in the other direction. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
