Bruce:
You may want to look at Paros. Its an open source proxy where you can
see the HTTPS traffic in plain text.
Best Regards.
Umesh.
----- Original Message -----
From: "Bruce Keats" <[EMAIL PROTECTED]>
To: <dev-tech-crypto@lists.mozilla.org>
Sent: Monday, December 10, 2007 9:28 PM
Subject: Re: Terminating SSL on the web proxy
>I was curious about the last scenario.
>
> 2. The Server Side Proxy (a.k.a., Reverse Proxy)
>
> Public Internet Intranet
> [browser]---------------------[proxy]----------[server]
> SSL plain
>
> In this case, does the proxy have to convert the URIs from browser as well
> as terminate the SSL connection? Specifically, does the proxy have to
> convert the URI from the browser by changing https:// to http:// to the
> server? Does the proxy have to convert the URI from the server by
> changing
> http:// to https:// when going in the reverse direction?
>
> Thanks,
> Bruce
>
> On Dec 7, 2007 6:35 PM, Nelson Bolyard <[EMAIL PROTECTED]>
> wrote:
>
>> Florian Weimer wrote, On 2007-12-07 02:54:
>> > Is it possible to configure NSS (or, more precisely, Firefox) to
>> > terminate SSL connections on the web proxy, so that the proxy receives
>> > requests in the clear (and handles the certificate verification)?
>>
>> I think, but am not certain, that you're describing something like this:
>>
>> Intranet public Internet
>> [browser]----------[proxy]---------------------[server]
>> plain SSL
>>
>> and you're asking if the browser can be configured so that when it
>> attempts to fetch an https URL, it does not use SSL itself, but sends
>> the request unencrypted as an http request to a proxy on the client's
>> side of the Internet, and SSL is used between the proxy and the server,
>> but not between the browser and the proxy.
>>
>> If that's what you're asking, the answer is: no. The browser cannot be
>> configured to fetch an https URL without using SSL itself.
>>
>> You might be asking about either of these alternatives, both of which
>> assume that the browser is attempting to fetch an https URL:
>>
>> 1. The Man-In-The-Middle proxy
>>
>> Intranet public Internet
>> [browser]----------[proxy]---------------------[server]
>> SSL SSL
>>
>> In this picture, the browser is using SSL to talk to the proxy, and
>> the proxy is using SSL to talk to the server. The SSL is not
>> "end to end". The proxy decrypts everything coming in one side and
>> encrypts it before sending it outside the other. This is called a
>> "Man In The Middle" (as I'm sure you know). It is possible to
>> configure a browser to work with such a proxy, by configuring the
>> browser to accept certificates from a pseudo-CA that operates in the
>> proxy. In the absence of such configuration, the browser should be able
>> to detect all attempts to do this, as being attacks on the secure
>> communications. (I'm sure you know this.)
>>
>>
>> 2. The Server Side Proxy (a.k.a., Reverse Proxy)
>>
>> Public Internet Intranet
>> [browser]---------------------[proxy]----------[server]
>> SSL plain
>>
>> Here the proxy acts as the server, as seen by the Internet. The browser
>> connects to the proxy via https with SSL, and the proxy sends the
>> request on to the true "back end" server as an ordinary http request, in
>> plain text, unencrypted. This sort of thing happens all the time, and
>> requires no special browser configuration. The browser simply thinks
>> that the proxy is the server in the https URL, and contacts it normally
>> with SSL.
>>
>> If you're asking about something else, please explain.
>>
>> _______________________________________________
>> dev-tech-crypto mailing list
>> dev-tech-crypto@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
