May I ask you about the master-key in openssl s_client command result?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

May I ask you about the master-key in openssl s_client command result?

이영주

Hello. I am a person working in Korea.

 

I have a question.

 

I wonder why master-key is revealed in plaintext in the results below.

(used command : Openssl s_client -connect host:port)

 

------------------------------------------------------------------------------------

(skip)

SSL-Session

        Protocol : TLSv1.2

        Cipher : ECDHE-RSA-AES128-GCM-SHA256

        Session-ID : C3921E69...

        Session-ID-ctx:

        Master-Key : 6244A1C4B9D48A6C2100198...

(skip)

------------------------------------------------------------------------------------

 

Does it matter if the master key is exposed in plaintext?

 

And I wonder what role this master key plays.

 

Thank you for your detailed answer.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: May I ask you about the master-key in openssl s_client command result?

Viktor Dukhovni


> On Sep 26, 2018, at 9:19 PM, 이영주 <[hidden email]> wrote:
>
> I wonder why master-key is revealed in plaintext in the results below.
> (used command : Openssl s_client -connect host:port)

Because s_client is a debugging tool, and a source of example code
that demonstrates many elaborate features of the API from which you
can pic and chose the functions that are useful to you.  The s_client
command is NOT designed to be used for any non-diagnostic purposes.
 
> Does it matter if the master key is exposed in plaintext?

That's a feature.  You can check when using s_server that both computed
the same key.

> And I wonder what role this master key plays.

  https://tools.ietf.org/html/rfc5246#section-8.1
  https://tools.ietf.org/html/rfc5246#appendix-A.6
  https://tools.ietf.org/html/rfc5246#section-6.3
  https://tools.ietf.org/html/rfc5246#section-7.4.9
  https://tools.ietf.org/html/rfc5246#appendix-F.1.1
  https://tools.ietf.org/html/rfc5246#appendix-F.1.4
  https://tools.ietf.org/html/rfc5246#appendix-F.2

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: May I ask you about the master-key in openssl s_client command result?

Stiju Easo
Hi,

  Just an Info, may not be relevant. 
  If extended master secret is enabled,(by default on all browsers now a days)
  the computation of master secret is different.


On Thu, Sep 27, 2018 at 7:25 AM Viktor Dukhovni <[hidden email]> wrote:


> On Sep 26, 2018, at 9:19 PM, 이영주 <[hidden email]> wrote:
>
> I wonder why master-key is revealed in plaintext in the results below.
> (used command : Openssl s_client -connect host:port)

Because s_client is a debugging tool, and a source of example code
that demonstrates many elaborate features of the API from which you
can pic and chose the functions that are useful to you.  The s_client
command is NOT designed to be used for any non-diagnostic purposes.

> Does it matter if the master key is exposed in plaintext?

That's a feature.  You can check when using s_server that both computed
the same key.

> And I wonder what role this master key plays.

  https://tools.ietf.org/html/rfc5246#section-8.1
  https://tools.ietf.org/html/rfc5246#appendix-A.6
  https://tools.ietf.org/html/rfc5246#section-6.3
  https://tools.ietf.org/html/rfc5246#section-7.4.9
  https://tools.ietf.org/html/rfc5246#appendix-F.1.1
  https://tools.ietf.org/html/rfc5246#appendix-F.1.4
  https://tools.ietf.org/html/rfc5246#appendix-F.2

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--

                                                                                      Stiju Easo

  
 The unexamined life is not worth living for man.
      Socrates, in Plato, Dialogues, Apology
      Greek philosopher in Athens (469 BC - 399 BC)


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users