Bruce: You may want to look at Paros. Its an open source proxy where you can see the HTTPS traffic in plain text.
Best Regards. Umesh. ----- Original Message ----- From: "Bruce Keats" <[EMAIL PROTECTED]> To: <dev-tech-crypto@lists.mozilla.org> Sent: Monday, December 10, 2007 9:28 PM Subject: Re: Terminating SSL on the web proxy >I was curious about the last scenario. > > 2. The Server Side Proxy (a.k.a., Reverse Proxy) > > Public Internet Intranet > [browser]---------------------[proxy]----------[server] > SSL plain > > In this case, does the proxy have to convert the URIs from browser as well > as terminate the SSL connection? Specifically, does the proxy have to > convert the URI from the browser by changing https:// to http:// to the > server? Does the proxy have to convert the URI from the server by > changing > http:// to https:// when going in the reverse direction? > > Thanks, > Bruce > > On Dec 7, 2007 6:35 PM, Nelson Bolyard <[EMAIL PROTECTED]> > wrote: > >> Florian Weimer wrote, On 2007-12-07 02:54: >> > Is it possible to configure NSS (or, more precisely, Firefox) to >> > terminate SSL connections on the web proxy, so that the proxy receives >> > requests in the clear (and handles the certificate verification)? >> >> I think, but am not certain, that you're describing something like this: >> >> Intranet public Internet >> [browser]----------[proxy]---------------------[server] >> plain SSL >> >> and you're asking if the browser can be configured so that when it >> attempts to fetch an https URL, it does not use SSL itself, but sends >> the request unencrypted as an http request to a proxy on the client's >> side of the Internet, and SSL is used between the proxy and the server, >> but not between the browser and the proxy. >> >> If that's what you're asking, the answer is: no. The browser cannot be >> configured to fetch an https URL without using SSL itself. >> >> You might be asking about either of these alternatives, both of which >> assume that the browser is attempting to fetch an https URL: >> >> 1. The Man-In-The-Middle proxy >> >> Intranet public Internet >> [browser]----------[proxy]---------------------[server] >> SSL SSL >> >> In this picture, the browser is using SSL to talk to the proxy, and >> the proxy is using SSL to talk to the server. The SSL is not >> "end to end". The proxy decrypts everything coming in one side and >> encrypts it before sending it outside the other. This is called a >> "Man In The Middle" (as I'm sure you know). It is possible to >> configure a browser to work with such a proxy, by configuring the >> browser to accept certificates from a pseudo-CA that operates in the >> proxy. In the absence of such configuration, the browser should be able >> to detect all attempts to do this, as being attacks on the secure >> communications. (I'm sure you know this.) >> >> >> 2. The Server Side Proxy (a.k.a., Reverse Proxy) >> >> Public Internet Intranet >> [browser]---------------------[proxy]----------[server] >> SSL plain >> >> Here the proxy acts as the server, as seen by the Internet. The browser >> connects to the proxy via https with SSL, and the proxy sends the >> request on to the true "back end" server as an ordinary http request, in >> plain text, unencrypted. This sort of thing happens all the time, and >> requires no special browser configuration. The browser simply thinks >> that the proxy is the server in the https URL, and contacts it normally >> with SSL. >> >> If you're asking about something else, please explain. >> >> _______________________________________________ >> dev-tech-crypto mailing list >> dev-tech-crypto@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-tech-crypto >> > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto