Re: SSL - how to make it work?!

From: Nigel Metheringham <Nigel.Metheringham@dont-contact.us>
Date: Fri, 08 Nov 1996 10:18:32 +0000

} I want to have squid running on our firewall machine and make it
} relay (and cache) requests to an internal host that is running
             ^^^^^
} https (SSL). I can get normal http to work, but not https, which
} is what I really need...

You cannot cache https connections - since they use end to end encryption,
if you can (usefully) cache them then you can decode the content - which
defeats the point of SSL.

Also, if I understand you right, you are basically trying to use squid as
a http accellerator come firewall bridge - you are letting people outside
(on the internet side of) your firewall access a single server within the
firewall. That can be done for http connections, but for https you need
something slightly different since in http accellerator mode you are not
proxying connections as such, you are instead pretending to be the real
web site. Squid cannot do this for https.

What you need to do is on the ssl port (is it 443?), put a redirector or
transparent tcp proxy - like the redir program or the TIS fwtk plug-gw.
This is configured to just take any connection (ok you can make decisions
on what) to that port and make a tcp connection to the ssl port on your
server and pass data transparently across.

One thing to watch is that for https, servers check that the SSL
certificate contains the correct DNS name for the server. This may give
you problems - maybe a split brain DNS will help.

        Nigel.

-- 
[ Nigel.Metheringham@theplanet.net   - Unix Applications Engineer ]
[ *Views expressed here are personal and not supported by PLAnet* ]
[ PLAnet Online : The White House          Tel : +44 113 251 6012 ]
[ Melbourne Street, Leeds LS2 7PS UK.      Fax : +44 113 2345656  ]
Received on Fri Nov 08 1996 - 02:21:31 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:30 MST