Firewall Wizards mailing list archives
RE: SSL
From: Chad Schieken <cschieken () lucent com>
Date: Fri, 19 Oct 2001 08:00:44 -0400
When the browser wants to load the page http://www.ebay.com/index.html it tells the proxy something like:
GET http://www.ebay.com/index.html HTTP/1.1In this case the proxy issues a relatively normally looking request to the webserver, as if it was a browser.
When the browser wants to load the page https://www.ebay.com/login.html it tells the proxy something like:
CONNECT https://www.ebay.com/login.html HTTP/1.1In this case the proxy then opens a TCP connection to port 443 on the webserver, and copies whatever bytes it receives from one side of the connection to the other. It holds this open on both sides, until one side drops the connection.
Described above doesn't really account for steps 4 & 5 below. Inorder to support 4&5 below, the proxy needs it's own (X.509) Cert. In this scenario, a SSL connection is built between browser and proxy, with the browser accepting the Cert from the proxy. Then the request is submitted encrypt from the browser to the proxy. The proxy decrypts the request, then opens a separate connection to the webserver.
The proxy then decrypts the responses from the webserver, inspects them against policy (hopefully) and encrypts them using the separate session to the browser. I'm a little unclear about precisely when the browsers connection is broken, however I think you get the idea.
If a proxy doesn't have a Cert installed, it must use the CONNECT HTTP method.Netscape has excellent documentation of the proxying process, it used to be post in the manuals of it's Proxy server.
3) Proxy manages, somehow, to act as intermediary. (This is what I don't get.) 4) The proxy sets up the SSL tunnel with the remote site. 5) The proxy sets up the SSL tunnel with the users browser.
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SSL, (continued)
- Re: SSL teo (Oct 18)
- Re: SSL Patrick M. Hausen (Oct 18)
- RE: SSL Stefan Norberg (Oct 18)
- RE: SSL Bruce Platt (Oct 18)
- RE: SSL Scott, Richard (Oct 18)
- RE: SSL Illes Marci (Oct 20)
- RE: SSL Ames, Neil (Oct 18)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Chad Schieken (Oct 20)
- RE: SSL Dawes, Rogan (ZA - Johannesburg) (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
- RE: SSL Paul D. Robertson (Oct 20)