Re: session key
DALE REAMER wrote: I should explain further. The client is using openssl, the server is on firmwware and cannot use openssl. The server developer has rc4 code and we want to verify the encryption phase after the handshake phase. If I could give him separately(offline) the session secret he could verify the server rc4 encryption/decryption is correct, (again offline). I find nothing for the session secret key, the closest is the write_mac_secret and read_mac_secret members of s3. That secret should be somewhere I could grab it with Visual C++. ssldump does a decryption if you give it the private RSA key; i don't remember whether it also displays the session secret key, but with the source of ssldump you can it modify to do it anyway. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
session key
I am working on a project, where, for development reasons, I need to obtain the secret session key from openssl. How do I do it, where is the key. I don't want to calculate it, I only need it to give to the server developer. We are using rc4-128 md5Thanks, dreamer
Re: session key
There's an SSL/TLS sniffer package that, when given the server's private key, can obtain the master key used for a session and decrypt the frames. I'm not quite sure what you mean by 'for development reasons'. It would (I'm not looking at the source here) probably be available from one of the SSL_SESSION_get_ex_data indices. Remember that the session master key is usually 24 or 48 bytes. The upper 2/3 are the server key, the lower 2/3 are the client key. (This depends on the version of SSL you're running, though -- I seem to recall SSLv2 splitting the master key down the center.) -Kyle H On 1/26/06, DALE REAMER [EMAIL PROTECTED] wrote: I am working on a project, where, for development reasons, I need to obtain the secret session key from openssl. How do I do it, where is the key. I don't want to calculate it, I only need it to give to the server developer. We are using rc4-128 md5 Thanks, dreamer __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: session key
I should explain further. The client is using openssl, the server is on firmwware and cannot use openssl. The server developer has rc4 code and we want to verify the encryption phase after the handshake phase. If I could give him separately(offline) the session secret he could verify the server rc4 encryption/decryptionis correct, (again offline). I find nothing for the session secret key, the closest is the write_mac_secret and read_mac_secret members of s3. That secret should be somewhere I could grab it with Visual C++.-dreamerKyle Hamilton [EMAIL PROTECTED] wrote: There's an SSL/TLS sniffer package that, when given the server'sprivate key, can obtain the master key used for a session and decryptthe frames. I'm not quite sure what you mean by 'for developmentreasons'.It would (I'm not looking at the source here) probably be availablefrom one of the SSL_SESSION_get_ex_data indices.Remember that the session master key is usually 24 or 48 bytes. Theupper 2/3 are the server key, the lower 2/3 are the client key. (Thisdepends on the version of SSL you're running, though -- I seem torecall SSLv2 splitting the master key down the center.)-Kyle HOn 1/26/06, DALE REAMER <[EMAIL PROTECTED]>wrote: I am working on a project, where, for development reasons, I need to obtain the secret session key from openssl. How do I do it, where is the key. I don't want to calculate it, I only need it to give to the server developer. We are using rc4-128 md5 Thanks, dreamer__OpenSSL Project http://www.openssl.orgDevelopment Mailing List openssl-dev@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Re: session key reuse - server side problems
Raghuram Belur [EMAIL PROTECTED] in ulf.openssl.dev: We have an application for which we are using SSL enabled clients and servers(our own server not a web server). I have been trying to get the session key reuse going for the past several days. [...] Use SSL_CTX_set_session_id_context(). To avoid potential security holes in applications that use a single external session cache in SSL_CTX's with different authentication requirements, the SSL server implementation refuses to reuse sessions unless they were created in a matching context (see occurrences of sid_ctx in ssl/ssl_sess.c). __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
session key reuse - server side problems
We have an application for which we are using SSL enabled clients and
servers(our own server not a web server). I have been trying to get the
session key reuse going for the past several days. It appears that the
session key reuse and timeouts work just fine if I hang on to the SSL
structure on the server side which was created by the previous
connection but this causes the server to leak memory. If I call SSL_free
on the server once the exchange is completed it looks like the session
is removed from the hash table in the SSL_CTX. Setting different caching
options on the server side doesn't seem to make a diffference and
looking at the SSL_free code I can see why this is happening because it
doesn't check any of the cache options. I have tried various other
tricks such as incrementing the reference count on the session and
adding it back to the SSL_CTX using SSL_CTX_add_session(which I
shouldn't be doing) and this makes it work but I am seeing memory leaks
on the server. Unlike Apache, I don't have a need to pass the session
around between multiple server processes so I don't need an external
caching mechanism. Is there any magic needed to make this work. The code
invoked in the initialization part of my server is shown below:
SSL_load_error_strings();
SSL_library_init();
server_ctx = SSL_CTX_new(SSLv3_server_method());
SSL_CTX_set_options(server_ctx, SSL_OP_ALL);
/* set timeout */
if(session_timeout 0)
SSL_CTX_set_timeout(server_ctx, session_timeout);
/* Load the CA certificate(s) */
if (CA_cert) {
if(!SSL_CTX_load_verify_locations(server_ctx, CA_cert, NULL)) {
tracePrintf(error_trace, ("Unable to load CA certificate %s\n",
CA_cert));
return SALRCODE_ERROR_LOADING_CA_CERTIFICATE;
}
}
/* Load the server certificate and matching private key. */
if (cert_location private_key_location) {
if (!SSL_CTX_use_certificate_file(server_ctx, cert_location,
SSL_FILETYPE_PEM)) {
tracePrintf(error_trace, ("Unable to load server certificate %s\n",
cert_location));
return SALRCODE_ERROR_LOADING_CERTIFICATE;
}
if (!SSL_CTX_use_PrivateKey_file(server_ctx, private_key_location,
SSL_FILETYPE_PEM)) {
tracePrintf(error_trace, ("Unable to load server private key %s\n",
private_key_location));
return SALRCODE_ERROR_LOADING_PRIVATE_KEY;
}
if (!SSL_CTX_check_private_key(server_ctx)) {
tracePrintf(error_trace, ("Server certificate %s and private key %s
don't match\n",
cert_location, private_key_location));
return SALRCODE_ERROR_CERTIFICATE_PRIVATEKEY_CHECK;
}
}
I have tried the following options on the accept side:
SSL_set_accept_state(ssl);
i = SSL_do_handshake(ssl);
and
SSL_accept(ssl)
and neither one changes the outcome. Removing SSL_free from the server
disconnect sequence does make it work although it is not an option for
production code(due to memory leaks).
Any ideas/help are appreciated.
- Raghu
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: How to get session key?
i want to implement a Secure Audit Log protocol as given in (Schneir,Kelsey Cryptographic Support for Secure Logs 0n Untrusted Machines) SSL could be used for the key exchange part of the protocol. dave. Ralf S. Engelschall wrote: Why do you want the session key? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to get session key?
In article 01be867b$13610f60$[EMAIL PROTECTED] you wrote: I have apache server. How I can get session key which client used for encryption? Is it possible to write the key to file? Why do you want the session key? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: How to get session key?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ralf S. Engelschall Sent: Sunday, April 18, 1999 12:15 PM To: [EMAIL PROTECTED] Subject: Re: How to get session key? In article 01be867b$13610f60$[EMAIL PROTECTED] you wrote: I have apache server. How I can get session key which client used for encryption? Is it possible to write the key to file? Why do you want the session key? For testing. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Yuriy Stul mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to get session key?
Hello there. I have apache server. How I can get session key which client used for encryption? Is it possible to write the key to file? Thanks in advance. Regards Yuriy Stul Tashilon Ltd. mailto:[EMAIL PROTECTED] http://www.tashilon.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
