15, 2018 at 6:41 PM
To: Richard Barnes mailto:r...@ipv.sx>>
Cc: Rich Salz mailto:rs...@akamai.com>>, Hubert Kario
mailto:hka...@redhat.com>>,
"tls@ietf.org<mailto:tls@ietf.org>" mailto:tls@ietf.org>>
Subject: Re: [TLS] TLS interception technologies that can be used
rom: Yoav Nir
> Date: Thursday, March 15, 2018 at 6:41 PM
> To: Richard Barnes
> Cc: Rich Salz , Hubert Kario ,
> "tls@ietf.org"
> Subject: Re: [TLS] TLS interception technologies that can be used with TLS 1.3
>
> IIUC not quite. There is an API, so the application that u
ate: *Thursday, March 15, 2018 at 6:41 PM
> *To: *Richard Barnes
> *Cc: *Rich Salz , Hubert Kario , "
> tls@ietf.org"
> *Subject: *Re: [TLS] TLS interception technologies that can be used with
> TLS 1.3
>
>
>
> IIUC not quite. There is an API, so the applica
I think if we ship the keys over some kind of secure socket layer we should be
okay, right?
From: Yoav Nir
Date: Thursday, March 15, 2018 at 6:41 PM
To: Richard Barnes
Cc: Rich Salz , Hubert Kario ,
"tls@ietf.org"
Subject: Re: [TLS] TLS interception technologies that can be use
IIUC not quite. There is an API, so the application that uses the library can
get the keys. The application can then save it to a file, send it to a central
repository, send it to the government, or whatever else it might want to do.
There is no built-in setting where OpenSSL writes the keys to
, March 15, 2018 at 7:38 AM
To:
Subject: Re: [TLS] TLS interception technologies that can be used with TLS 1.3
On Thursday, 15 March 2018 05:51:31 CET Yoav Nir wrote:
At the risk of stating the obvious, it’s because server owners want to use
the same OpenSSL, NSS, SChannel, or whatever you call
Just to confirm that I understand the scope of the discussion here:
- TLS libraries have facilities to export keys from the library
- Obviously, it's possible to ship these exported keys elsewhere (`tail -f
$SSLKEYLOGFILE | nc $LOGBOX`)
So all we're really talking about is whether to define a way
This is what OpenSSL provides:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_keylog_callback.html
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
So what’s the flag in openssl.conf that makes it generate a file with all the
keys? There isn’t one. I guess the presumption is that if there was an RFC it
would be easier to get the powers that be to make it happen. It likely needs to
be in the main branch to be ubiquitous, because many produ
On Thursday, 15 March 2018 05:51:31 CET Yoav Nir wrote:
> At the risk of stating the obvious, it’s because server owners want to use
> the same OpenSSL, NSS, SChannel, or whatever you call the Java library that
> everybody else uses. They’re all widely used, actively maintained, and
> essentially f
At the risk of stating the obvious, it’s because server owners want to use the
same OpenSSL, NSS, SChannel, or whatever you call the Java library that
everybody else uses. They’re all widely used, actively maintained, and
essentially free.
None of these libraries support any of this functionali
One can either use a static DH share, save the ephemerals on the
servers and export them, or log all the data on the servers.
These options don't require any change to the wire protocol: they just
require vendors supporting them. Why don't they meet the needs cited?
Sincerely,
Watson
___
12 matches
Mail list logo
