[openssl-users] Using an engine for supporting SSL/TLS session creation

[Birch Jr, Johnnie L]

Hi,

I have a question that is maybe similar to this one asked about a year ago: https://mta.openssl.org/pipermail/openssl-users/2017-December/007050.html. I want to experiment with trying to hide the keys and certificates used during TLS session creation inside trusted hardware. I am not sure what is possible with openssl engines ... whether they are just for offloading for encryption and hash algorithms or if they can be used for intercepting at a higher granularity to do things such as creating packets for an initial handshake. Looking through some source code it looks like just the former is the intent, but even here I am wondering how best to get started. Specifically for a TLS handshake I am wondering what part of the handshake can be intercepted through an engine plugin? What code should I be focused on as an example and/or to interface with for creating this engine? Also, maybe an engine is not the way to go ... are there better approaches using openssl for experimenting with hiding session creation material?

Thanks,
Johnnie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181116/989e3564/attachment.html>