Using an engine for supporting SSL/TLS session creation

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Using an engine for supporting SSL/TLS session creation

Birch Jr, Johnnie L

Hi,

 

I have a question that is maybe similar to this one asked about a year ago: https://mta.openssl.org/pipermail/openssl-users/2017-December/007050.html. I want to experiment with trying to hide the keys and certificates used during TLS session creation inside trusted hardware. I am not sure what is possible with openssl engines … whether they are just for offloading for encryption and hash algorithms or if they can be used for intercepting at a higher granularity to do things such as creating packets for an initial handshake. Looking through some source code it looks like just the former is the intent, but even here I am wondering how best to get started. Specifically for a TLS handshake I am wondering what part of the handshake can be intercepted through an engine plugin? What code should I be focused on as an example and/or to interface with for creating this engine? Also, maybe an engine is not the way to go … are there better approaches using openssl for experimenting with hiding session creation material?

 

Thanks,

Johnnie


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users