Adam Back wrote: > On Tue, Jul 23, 2002 at 06:11:04PM +0000, Jason Holt wrote: > >> The default behavior for an SSL proxy is to pass the encrypted bytes >>back and forth, allowing you to connect all the way to the other server. > > > This isn't just the default behavior; it's the only defined behavior > right? > > >>However, it is possible for the proxy to have its own CA which has >>been added to your browser. Then it acts as a man in the middle and >>pretends to be the remote host to you, and vice versa. In that >>case, it works as you describe, watching the data during its interim >>decryption. > > > While it's _possible_ to do this, I've never heard of a server hosted > application that advertises that it's doing this. I would think it > would be quite hard to get a CA to issue you a certificate if this is > what you intended to do with it (act as a general MITM on SSL > connections you proxy).
Errr - its tricky anyway, coz the cert has to match the final destination, and, by definition almost, that can't be the proxy. I believe its pretty common for server farms to use SSL-enabled reverse proxies where the SSL terminates at the proxy. Different scenario, though. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff