On Jan 30, 2008 10:38 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote: >> I do know of at least one firewall that will decrypt SSL as it >> passes through ... > > Really? How does this work?
I dunno about what Kurt's talking about, but here's one possible scenario: Create your own, locally-hosted CA (Certificate Authority). Add that CA certificate to the trusted certificate list for all your clients (web browsers, etc.). Tell all the clients to use your special HTTP proxy server. Clients connect to the HTTP proxy, issue the CONNECT method, and attempts to start SSL over the TCP pipe. But special proxy server didn't really make the TCP connection that was asked for -- it instead just waits for the SSL startup and acts as an SSL server. Proxy claims to be the server asked for in the CONNECT. Proxy uses its own SSL certificate, which is made-up, but signed by the local CA. Client has been configured to trust that CA, so as far as client is concerned, it thinks it has the real destination site. So it sends the HTTP request over the SSL tunnel like it normally would. Proxy then opens an SSL client connection to the real destination, and passes the HTTP requests from the client on. I think that would work, at least for the common cases. It won't work if the real destination is using client certificates to authenticate the client. The proxy doesn't have the client's secret key and thus can't impersonate the client. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
