Using an engine for supporting SSL/TLS session creation
I have a question that is maybe similar to this one asked about a year ago:
https://mta.openssl.org/pipermail/openssl-users/2017-December/007050.html. I want to experiment with trying to hide the keys and certificates used during TLS session creation inside trusted hardware. I am not sure what is possible with openssl engines …
whether they are just for offloading for encryption and hash algorithms or if they can be used for intercepting at a higher granularity to do things such as creating packets for an initial handshake. Looking through some source code it looks like just the
former is the intent, but even here I am wondering how best to get started. Specifically for a TLS handshake I am wondering what part of the handshake can be intercepted through an engine plugin? What code should I be focused on as an example and/or to interface
with for creating this engine? Also, maybe an engine is not the way to go … are there better approaches using openssl for experimenting with hiding session creation material?