Hi, In message <_A3838@delegate-en.ML_> on 10/02/07(00:43:56) you "gink0" <p7yhabdyi-aipiirhggulr.ml@ml.delegate.org> wrote: |I've read manual, but i still don't know if it is possible to do this |with https traffic: |I have three servers: |Server A is running delegate(as proxy for users accessing internet), |server B is firewall(capable of http application inspection) |and server C is another delegate in demilitarized zone. | |Is it possible with delegate to decrypt https communication(user will |be presented with delegate certificate), |then pass decrypted http traffic through firewall and then(after |inspection on firewall), |finally let delegate on server C connect through https to destination |server. | |A(delegate decrypt)->B(http application fw)->C(delegate encrypt)->internet In old versions, it had been possible with a little complex way using FSV="sslway -ac" with the MASTER parameter. But in the newer versions, it should be realized with the "Man-In-The-Middle" proxy by STLS="mitm", so I implemented it as the enclosed patch. With the patch, your usage can be configured like this: hostA: accepts CONNECT, decrypts HTTPS/SSL, forward GET https://server/path. delegated -P8080 SERVER=http STLS=mitm,-fsv PROXY=hostC:8080 hostC: encrypts with a server if the URL is "https://server" delegated -P8080 SERVER=http STLS=fsv:https Cheers, Yutaka -- 9 9 Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/ ( ~ ) National Institute of Advanced Industrial Science and Technology _< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan Do the more with the less -- B. Fuller *** ../dist/src/delegate9.7.2/src/stls.c Thu Sep 20 12:04:00 2007 --- src/stls.c Tue Oct 2 23:52:33 2007 *************** *** 202,207 **** --- 202,219 ---- if( (ServerFlags & PF_STLS_CHECKED) == 0 ){ checkWithSTLS(Conn,"FSV",REAL_PROTO,""); + if( (ClientFlags & PF_MITM_ON) + && (ServerFlags & PF_STLS_OPT) + ){ + /* STLS=mitm,-fsv + * expecting STLS=fsv in the upstream proxy + * as PROXY, MASTER, or SOCKS + */ + sv1log("-- STLS=mitm,-fsv %X %d,%d,%d\n",ServerFlags, + toMaster,toProxy,ServViaSocks); + ServerFlags |= PF_SSL_ON; + return 0; + } if( ServerFlags & (PF_SSL_ON|PF_STLS_ON) ){ }else if( ServerFlags & PF_STLS_DO ) *************** *** 529,534 **** --- 541,548 ---- }else { connect_to_servX(Conn,FromC,ToC,0,0); /* CFI is not inserted yet */ + if( ServerFlags & PF_SSL_ON ){ + }else if( 0 <= ToS && toProxy ){ SSLtunnelNego(Conn,host,port,ToS); }