[openssl-users] Using an engine for supporting SSL/TLS session creation

Birch Jr, Johnnie L johnnie.l.birch.jr at intel.com
Fri Nov 16 02:35:32 UTC 2018


I have a question that is maybe similar to this one asked about a year ago: https://mta.openssl.org/pipermail/openssl-users/2017-December/007050.html. I want to experiment with trying to hide the keys and certificates used during TLS session creation inside trusted hardware. I am not sure what is possible with openssl engines ... whether they are just for offloading for encryption and hash algorithms or if they can be used for intercepting at a higher granularity to do things such as creating packets for an initial handshake. Looking through some source code it looks like just the former is the intent, but even here I am wondering how best to get started. Specifically for a TLS handshake I am wondering what part of the handshake can be intercepted through an engine plugin? What code should I be focused on as an example and/or to interface with for creating this engine? Also, maybe an engine is not the way to go ... are there better approaches using openssl for experimenting with hiding session creation material?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181116/989e3564/attachment.html>

More information about the openssl-users mailing list