Article delegate-en/3841 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3838@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: checking https traffic for anomalies on client side...
02 Oct 2007 15:13:43 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A3838@delegate-en.ML_> on 10/02/07(00:43:56)
you "gink0" <p7yhabdyi-aipiirhggulr.ml@ml.delegate.org> wrote:
 |I've read manual, but i still don't know if it is possible to do this
 |with https traffic:
 |I have three servers:
 |Server A is running delegate(as proxy for users accessing internet),
 |server B is firewall(capable of http application inspection)
 |and server C is another delegate in demilitarized zone.
 |
 |Is it possible with delegate to decrypt  https communication(user will
 |be presented with delegate certificate),
 |then pass decrypted http traffic through firewall and then(after
 |inspection on firewall),
 |finally let delegate on server C connect through https to destination
 |server.
 |
 |A(delegate decrypt)->B(http application fw)->C(delegate encrypt)->internet

In old versions, it had been possible with a little complex way using
FSV="sslway -ac" with the MASTER parameter.
But in the newer versions, it should be realized with the "Man-In-The-Middle"
proxy by STLS="mitm", so I implemented it as the enclosed patch.
With the patch, your usage can be configured like this:

hostA: accepts CONNECT, decrypts HTTPS/SSL, forward GET https://server/path.

  delegated -P8080 SERVER=http STLS=mitm,-fsv PROXY=hostC:8080

hostC: encrypts with a server if the URL is "https://server"

  delegated -P8080 SERVER=http STLS=fsv:https

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

*** ../dist/src/delegate9.7.2/src/stls.c	Thu Sep 20 12:04:00 2007
--- src/stls.c	Tue Oct  2 23:52:33 2007
***************
*** 202,207 ****
--- 202,219 ----
  	if( (ServerFlags & PF_STLS_CHECKED) == 0 ){
  		checkWithSTLS(Conn,"FSV",REAL_PROTO,"");
  
+ 		if( (ClientFlags & PF_MITM_ON)
+ 		 && (ServerFlags & PF_STLS_OPT)
+ 		){
+ 			/* STLS=mitm,-fsv
+ 			 * expecting STLS=fsv in the upstream proxy
+ 			 * as PROXY, MASTER, or SOCKS
+ 			 */
+ 			sv1log("-- STLS=mitm,-fsv %X %d,%d,%d\n",ServerFlags,
+ 				toMaster,toProxy,ServViaSocks);
+ 			ServerFlags |= PF_SSL_ON;
+ 			return 0;
+ 		}
  		if( ServerFlags & (PF_SSL_ON|PF_STLS_ON) ){
  		}else
  		if( ServerFlags & PF_STLS_DO )
***************
*** 529,534 ****
--- 541,548 ----
  	}else
  	{
  	connect_to_servX(Conn,FromC,ToC,0,0); /* CFI is not inserted yet */
+ 		if( ServerFlags & PF_SSL_ON ){
+ 		}else
  		if( 0 <= ToS && toProxy ){
  			SSLtunnelNego(Conn,host,port,ToS);
  		}

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V