Florian Weimer wrote:
So the question naturally arises: "why do you want this?". I've seen proposals for this kind of gateway back in the early 90's as a way of providing secure email access for browsers which did not support https:. In this case the browser would connect to the proxy with a special http:// address which would get rewritten to https://. That only made sense if the proxy sat on a firewall between the browser and some sort of secure corporate network. An SSL aware browser could still use the http:// address, but would not give the user any indication that the connection is secure (basically because it isn't).* Nelson Bolyard:Florian Weimer wrote, On 2007-12-07 02:54:Is it possible to configure NSS (or, more precisely, Firefox) to terminate SSL connections on the web proxy, so that the proxy receives requests in the clear (and handles the certificate verification)?I think, but am not certain, that you're describing something like this: Intranet public Internet [browser]----------[proxy]---------------------[server] plain SSLYes, exactly.If that's what you're asking, the answer is: no. The browser cannot be configured to fetch an https URL without using SSL itself.Oh, how unfortunate. Is it possible to disable all certificate checks?
A browser connecting with an https:// address that knows about SSL will not work in this configuration precisely because such a configuration is considered an attack by SSL. Disabling certificate checks will enable that attack. (Think of the attacker that DNS spoofs the server. He would be able to terminate the clients SSL connection, and create his own to the target server and snoop (and/or modify) all the traffic between the user and the server --- exactly what SSL is meant to avoid.
So if you can find a way to do this, let us know. It would be a bug in the SSL protocol (or the NSS implementation of it:).
NOTE1: If you are trying to set up a proxy server on a firewall, most proxies will proxy the https traffic by directly forwarding it. That is it is possible to reroute https:// requests through your proxy, but your proxy isn't allowed to see or modify the data. This does not violate the SSL guarrentees since SSL doesn't care how it gets to the server, only that it 1) gets to the correct server, and 2) the traffic between the 2 is 'protected' throughout the connection.
NOTE2: None of the proxy nelson mentioned will work if the user is using SSL client auth. This is one of the strongest arguments for why mission critical SSL usage should use SSL client auth.
bob bob
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto