Re: SSL Proxying

From: Marc van Selm <marc.van.selm@dont-contact.us>
Date: Tue, 22 Jun 1999 08:59:12 +0200

At 11:15 AM 6/21/99 -0600, Nate Jensen wrote:
>I am trying to figure out if Squid can do SSL proxying rather than SSL
>tunneling. I've searched the Web and checked out the Squid FAQs, but
>couldn't find anything that described how to do what I need. Here is
>what I'm looking at doing:

mmm, SSL is encrypted end to end so you should not be able to do SSL proxying.
You could ofcouse cheat and redirect SSL in squid to a SSL proxy (I believe
there is still a setting for this) and make a ssl-server/ssl-client
combination. What you are doing than is decrypting and encrypting. This is a
man in the middle attack. The only issue you have to solve is that the
certificates of the client and the server have to be forged.

In short: SSL proxying is not an option ever. A proxy can only tunnel SSL due
to end-to-end encryption and verification (using certificates).

>
>[Web Browser]<---SSL/HTTP-->[Squid Proxy]<--HTTP-->[Web Server]
>
>The reason for this approach is because the Web server must not do SSL.
>(I know its weird, but this is what the system specifications state.)
>
>If anyone has insight to documentation somewhere on the Web that
>describes how to do this, I would be appreciative of that. Thank you.
>
>Nate Jensen
>njensen@datanomix.com
>

---------------------------------------------------------------------
Marc van Selm
NATO C3 Agency
Communication Systems Division, A-Branch
Tel: +31 70 3142454
E-mail: marc.van.selm@nc3a.nato.int
---------------------------------------------------------------------
Private: selm@cistron.nl, selm@het.net, http://www.cistron.nl/~selm

       === Ultimate office automation: networked coffee. ===
Received on Tue Jun 22 1999 - 01:18:46 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:57 MST