[openssl-dev] [openssl.org #3744] Enhancement Request

John Foley foleyj at cisco.com
Wed Mar 11 15:07:51 UTC 2015 

In addition to client authentication, another approach would be to use
TLS-SRP to protect against MITM.  Without the SRP credentials, the
attacker would not be able to establish the two TLS connections required
for MITM.

On 03/11/2015 09:35 AM, Short, Todd via RT wrote:
> This is more of a request to change the TLS protocol, than an enhancement to OpenSSL.
>
> DHE and ECDHE ciphers provide PFS to protect against compromised public key-pairs.
>
> However, if a MITM has the same certificate, signed by a trusted certificate authority, then most bets are off.
>
> Client-authentication can provide additional protection against MITM attacks, and allow servers to identify if a MITM is interfering with a valid user.
> --
> -Todd Short
> // tshort at akamai.com<mailto:tshort at akamai.com>
> // “One if by land, two if by sea, three if by the Internet."
>
> On Mar 11, 2015, at 8:28 AM, Shawn Fernandes via RT <rt at openssl.org<mailto:rt at openssl.org>> wrote:
>
> Hi,
> At the moment, we have SSL handshake making use of a single certificate, using a single key-pair present in the certificate.
> In the event the MITM has the same certificate(SSL - offloader) then the data can be encrypted/decrypted.
> Would like to know if we can have the enhancement of using random key pair, generated form each certificate, so that each SSL handshake would make use of a random key-pair, and thereby give a different key value to each encryption -decryption, and therby be able to determine if the MITM with a same certificate has decrypted & encrypted data.
> With Regards,
> Shawn
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev&d=AwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=QBEcQsqoUDdk1Q26CzlzNPPUkKYWIh1LYsiHAwmtRik&m=ds4i2k1LUtsCfZgPMHS2VdrUvh5w6_xSLfNdm1vpRPo&s=kEns4AYdLMO2_ASqWmVdf9jEzb8yMzvELxKIbzr6Mqc&e=
>
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

More information about the openssl-dev mailing list