Re: [SQU] transparent proxy of https needed (I have RTFM'd)

From: Robert Collins <robert.collins@dont-contact.us>
Date: Sun, 25 Feb 2001 02:30:15 +1100

----- Original Message -----
From: "Ian" <ian@ids.org.au>
To: "Joe Cooper" <joe@swelltech.com>
Cc: <squid-users@ircache.net>
Sent: Saturday, February 24, 2001 7:41 PM
Subject: Re: [SQU] transparent proxy of https needed (I have RTFM'd)

> On Sat, Feb 24, 2001 at 12:59:27AM -0600, Joe Cooper wrote:
>
> > becomes the client for that server. The connection between the two
> > parts is broken and the identity of each is hidden (from the ssl
> > standpoint). And there is nothing short of decrypting and
recrypting
> > every packet that comes through that will solve that. Thankfully,
it's
> > still no mean feat to crack 128bit RSA, and we certainly can't do it
inline.

Actually, the SSL accelerator code can do just that, _but_ the user is
likely to see a visual warning sign on the browser, indicating that the
host's key doesn't match the domain. MS ISA server allows this as well -
so they have obviously implemented some way of telling IE not to show
that warning.

Project for someone: find out how IE decides when a proxy is allowed to
act as the SSL endpoint and make it's own upstream SSL connection.

> Joe,
>
> this does make sense, thanks. What still stumps me, and perhaps I'm
forgetting something completely obvious, is why it is possible to
"proxy" https when I set my browser's proxy to the same squid server.
Ie: why doesn't transparent work, whle "explicit" proxying does?

This one is easy. Browsers using proxies for SSL use the CONNECT method
with the proxy to get a end to end tunneled TCP link. Then they
implement SSL on that tunneled link.
ie.
CONNECT secure.site.com:443 HTTP/1.0

SSL connection begins

When the proxy is turned off, rather than making a HTTP CONNECT request,
the browser simply starts the SSL connection.

Rob

>
> cheers,
> Ian.
>
> --
> Ian Cumming, ian@semisphere.org
>
> "The number of Unix installations has grown to 10, with more
expected."
> -- The Unix Programmer's Manual, 2nd Edition, June, 1972
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Sat Feb 24 2001 - 08:30:47 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:10 MST