Re: SSL over SOCKS solved?
On Wed, Mar 02, 2005, Peter wrote: > I am using BIO_set_fd to set the file descriptor of a BIO created by > BIO_new_connect to the socket of an existing SOCKS connection. This > seems to work fine, "lsof -i" reports that indeed I am connected to the > proxy. However, I want to be sure that my ip address is not embedded > in the SSL connection in any way!!! Can anyone assure me of this? > What is BIO_set_fd supposed to do? What is the behavior of openSSL > when BIO_set_fd is used with an existing connection. Does > BIO_do_connect not open a TCP connection if one already exists? Is the > ip address of the client never used in the SSLv2/3/TLS protocol? > If you want to use BIOs then you can first create a socket BIO with BIO_new_socket(). A socket BIO is preferable because on some platforms sockets aren't fds. There are several other ways to achieve the same thing but that's the easiest. The IP address isn't embedded in the SSL connection. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL over SOCKS solved?
I am using BIO_set_fd to set the file descriptor of a BIO created by BIO_new_connect to the socket of an existing SOCKS connection. This seems to work fine, "lsof -i" reports that indeed I am connected to the proxy. However, I want to be sure that my ip address is not embedded in the SSL connection in any way!!! Can anyone assure me of this? What is BIO_set_fd supposed to do? What is the behavior of openSSL when BIO_set_fd is used with an existing connection. Does BIO_do_connect not open a TCP connection if one already exists? Is the ip address of the client never used in the SSLv2/3/TLS protocol? - Peter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL over SOCKS
Essentially, lets say I have a file descriptor(int) for an existing SOCKS connection. I want SSL to use that existing file descriptor and to know that it doesn't need to open the actual TCP/IP connection. What are the BIO and such calls for this? Currently I'm using BIO_new_ssl_connect and BIO_do_connect but I need to somehow tell the SSL lib that the connection already exists and just give it the file descriptor of the socket. - Peter On Mar 1, 2005, at 10:53 AM, Peter wrote: Hi, I'm curious about SSLs behavior over a SOCKS connection. I would assume that it would function fine, but that the SSL client certificate passed would contain the inner ip address of the network behind the SOCKS proxy. Is there anyway to setup an SSL connection in a way so that the server being connected to thinks that the SOCKS proxy is the client for all intents and purposes. I.e., is there an ip address passed inside the SSL protocol (does anyone know off hand?) and if so, is there an easy way of removing that or modifying it before the packet is sent from the client? - Peter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL over SOCKS
Hi, I'm curious about SSLs behavior over a SOCKS connection. I would assume that it would function fine, but that the SSL client certificate passed would contain the inner ip address of the network behind the SOCKS proxy. Is there anyway to setup an SSL connection in a way so that the server being connected to thinks that the SOCKS proxy is the client for all intents and purposes. I.e., is there an ip address passed inside the SSL protocol (does anyone know off hand?) and if so, is there an easy way of removing that or modifying it before the packet is sent from the client? - Peter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]