On Wed, Jan 18, 2012 at 07:07:08AM +0000, Robert Ransom wrote:
On 2012-01-17, Ian Goldberg iang@cs.uwaterloo.ca wrote:
On Tue, Jan 17, 2012 at 08:43:00PM +0200, George Kadianakis wrote:
[0]: Did the Telex people clean up the patch, generalize it, and post it in openssl-dev? Having configurable {Server,Client}Hello.Random in a future version of OpenSSL would be neat.
At USENIX Security, Adam opined that openssl's callback mechanism should be able to do this with no patches to the source. (I think there was one part of Telex that would still need patches to openssl, but I don't think that was it.) You basically request a callback right after the clienthello.random is generated, and in the callback, overwrite the value. Or something like that; I don't remember exactly.
In a Telex TLS connection, the client's DH secret key is derived from the ECDH shared secret between the client's Telex ECDH key and the Telex server's ECDH key. (This has the unfortunate side effect that a client attempting to find Telex servers gives up forward secrecy for its TLS connections.) This may be the part of Telex which requires an OpenSSL patch.
Yes, that seems likely. (Note, though, that only the *wrapper* TLS loses forward secrecy, but what was inside that wrapper came out of the Telex proxy as plaintext, anyway. If the client actually connects to a TLS server as the covert destination, that TLS connection is perfectly normal.)
- Ian