Article delegate-en/1500 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A1497@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: HTTPS -> HTTP -> virus-checking ->HTTP -> HTTPS
23 Jan 2002 12:41:14 GMT feedback@delegate.org (Yutaka Sato)


Hi,

On 01/22/02(07:05) you Tobias Geis <p2acqbdyi-e6yerocu2xtr.ml@ml.delegate.org> wrote
in <_A1497@delegate-en.ML_>
 |first of all thanks for your help.
 |
 |But it still does not work like I want. :-(
 |
 |I need a configuration like the following:
 |
 |+--------+   +----------+   +----------+   +----------+   +---------+
 ||Client  |***|Delegate 1|---|Viruscheck|---|Delegate 2|***|Server   |
 ||PubKey A|   |PrivKey A |   |  Proxy   |   |PubKey B  |   |PrivKey B|
 |+--------+   +----------+   +----------+   +----------+   +---------+
 |
 |
 |  *** HTTPS
 |  --- HTTP
 |  +-+
 |  | | Hardware-box
 |  +-+
 |
 |So I have to run two Delegates on Linux systems.
 |It works fine when Delegate 1 AND 2 has the same certificates and keys
 |(server-cert.pem and server-key.pem) like the Apache HTTPS server.

Sorry but I could not understand what worked fine with what configuration
parameters.  Did you succeed to proxy HTTPS in configuraion like above?
Does the "Viruscheck Proxy" work for "CONNECT" method? doing virus
checking for the relayed message?

 |But in the "real" world I do not know the servers private key.
 |
 |I do not kown how to solve this problem.
 |Your software is the first one I think it would give me the ability to 
 |solve my problem.
 |
 |I hope I do not get on your nerves and you can give me some tips. :-)

Maybe what you need is forwarding certificate of origin servers to
your client passed through a HTTP proxy (or chained proxies).
If so, also I myself have been interested in it for a long time.
But theis is no standardised way to do so, even if possible.
SSL protocol works like follows in principle:

<URL:http://home.netscape.com/eng/ssl3/draft302.txt>
>  Client                                                Server
>
>  ClientHello                   -------->
>                                                   ServerHello
>                                                  Certificate*
>                                            ServerKeyExchange*
>                                           CertificateRequest*
>                                <--------      ServerHelloDone
>  Certificate*
>  ClientKeyExchange
>  CertificateVerify*
>  [ChangeCipherSpec]
>  Finished                      -------->
>                                            [ChangeCipherSpec]
>                                <--------             Finished
>  Application Data              <------->     Application Data
>
>  * Indicates optional or situation-dependent messages that are not
>  always sent.

A possible extension can be like follows though I'm not sure if it
works or not in principle.

  SSL-client    SSL-server/proxy          SSL-client/proxy       SSL-server
  ------------- ------------------------- ---------------------- -----------
  ClientHello ->
                CONNECT host:443 HTTP/1.0 ->
                SSL-Control: ...
                                          ClientHello ->
                                                              <- ServerHello
                                                              <- Certificate
                                       <- HTTP/1.0 200 Connected
                                       <- SSL-Certificate: (in BASE64 or PEM)
  ServerHello <-
  Certificate <-
  ------------- ------------------------- ---------------------- -----------

Cheers,
Yutaka
--
  @ @ Yutaka Sato <y.sato@delegate.org> http://www.delegate.org/y.sato/
 ( - ) National Institute of Advanced Industrial Science and Technology (AIST)
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V