sorry for replying to my own mail, but just to summarize for clarity:
the ssl handshake protocol has 2 phases: the server authentication and the
client authentication (optional). with the mitm ssl proxy the first phase of
the handshake will fail.
--jan van rensburg
> -----Original Message-----
> From: Jan van Rensburg [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 05, 1999 10:31 AM
> To: 'David Lang'; Paul Krumviede
> Cc: [EMAIL PROTECTED]; Paul D. Robertson; firewalls
> Subject: RE: Routing protocols thru firewall
>
>
> hi,
>
> > does anyone know of a proxy that will sit as a man-in-the-middle ona
> > firewall to pass SSL trafic, but have it decrypted on the
> firewall to
> > allow for the type of scanning that is desired?
>
> i can't see how that would work. there was a discussion about
> this on this
> list a while ago, and at first i thought it would be a pretty
> good idea. an
> ssl proxy with it's own certificate, decrypting the stream
> from the server
> and then encrypting it to the client with it's own
> certificate. however,
> based on the url the client browser (at least msie &
> netscape) will refuse
> or warn you that it is not a valid certificate. so at the
> very least it
> won't be transparent, and the client will never be sure that
> he is actually
> talking to www.mybank.com. the proxy will however be able to
> verify this,
> which means the browser has to trust the proxy. (which i
> guess it has to do
> anyways, 'cause the proxy has clear-text access to information that's
> supposed to be private). please correct me if i'm wrong -
> cryptographer i am
> not.
>
> --jan van rensburg
>
> > -----Original Message-----
> > From: David Lang [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, February 04, 1999 11:42 PM
> > To: Paul Krumviede
> > Cc: [EMAIL PROTECTED]; Paul D. Robertson; firewalls
> > Subject: Re: Routing protocols thru firewall
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > does anyone know of a proxy that will sit as a man-in-the-middle ona
> > firewall to pass SSL trafic, but have it decrypted on the
> firewall to
> > allow for the type of scanning that is desired?
> >
> > David Lang
> >
> > "If users are made to understand that the system
> > administrator's job is to
> > make computers run, and not to make them happy, they can, in
> > fact, be made
> > happy most of the time. If users are allowed to believe that
> > the system
> > administrator's job is to make them happy, they can, in fact,
> > never be made
> > happy."
> > - -Paul Evans (as quoted by Barb Dijker in "Managing Support
> > Staff", LISA '97)
> >
> > On Thu, 4 Feb 1999, Paul Krumviede wrote:
> >
> > > Date: Thu, 04 Feb 1999 12:11:12 -0800
> > > From: Paul Krumviede <[EMAIL PROTECTED]>
> > > To: [EMAIL PROTECTED]
> > > Cc: Paul D. Robertson <[EMAIL PROTECTED]>,
> > firewalls <[EMAIL PROTECTED]>
> > > Subject: Re: Routing protocols thru firewall
> > >
> > > From a different Paul...
> > >
> > > The problem is that many people notice that HTTP and SSL
> are allowed
> > > through firewalls, they decide the best way to get nifty
> new service
> > > through is to run it over HTTP or SSL. Many people avoid
> > implementing
> > > something like SMTP auth by running SMTP over SSL. Now
> say that you
> > > want your firewall to scan for virii, trojans, whatever.
> How does it
> > > do that?
> > >
> > > For the truly amusing scenario, consider people who want to
> > let MBONE
> > > stuff, which is basically arbitrary IP packets encapsulated in a
> > > unicast stream, through the firewall to a multicast server inside
> > > your net that will strip the encapsulation and place the revealed
> > > packets on your net. Does that make you feel comfortable about
> > > letting it through your firewall?
> > >
> > > -paul
> > >
> > > Michael Sorbera wrote:
> > > >
> > > > Hello everyone,
> > > > Paul, you mentioned that SSL was one of your "no's".
> > Could you please explain to
> > > > me how SSL can be used to encapsulate something? Also
> > why the no? Please keep
> > > > the explanation down to a level I can understand.
> > > >
> > > > Thanks all,
> > > > Michael Sorbera
> > > > Webmaster/Network Engineer
> > > > Randolph-Brooks Federal Credit Union
> > > > www.rbfcu.org
> > > > [EMAIL PROTECTED]
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP for Personal Privacy 5.0
> > Charset: noconv
> >
> > iQEVAwUBNroUGj7msCGEppcbAQEmqwf/X/IYzcWr5BTgVdgyb/X0s/vNxFLr5rNd
> > lnyOF1qFPoSX4O7zjlzK1EOfEHgOL88KmSScydKvl2Lqlg93KNz4tcRiYtzD5qCU
> > uLtoQ6zPp1Lb677DNZvfMuy/lTtXXXidXmfSM+9avC0NDD+tm8DyhHcu4mVXEhI2
> > 1FatS97PZ274ossbYfNYHtSzoupotxhQ+LqOJDZZAaRtbtKMvOQtehgm1FcaBORF
> > d7OjwAThMOo63VQRSpJSy7HLcHPw8EqMWGucey7/GMHWdsQcpZtQSy/NBM2PCoKc
> > W/vATP8jH5HDeO6AJH9zq6TIUKsHWnxlRfl1tzHfIudAAd62WbGG9g==
> > =oQkt
> > -----END PGP SIGNATURE-----
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
