-----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: Thursday, 31 January 2008 3:02 PM To: NT System Admin Issues Subject: Re: L2TP vs. SSTP
On Jan 30, 2008 10:38 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote: >> I do know of at least one firewall that will decrypt SSL as it >> passes through ... > > Really? How does this work? > > I dunno about what Kurt's talking about, but here's one possible scenario: > > Create your own, locally-hosted CA (Certificate Authority). Add > that CA certificate to the trusted certificate list for all your > clients (web browsers, etc.). Tell all the clients to use your > special HTTP proxy server. Clients connect to the HTTP proxy, issue > the CONNECT method, and attempts to start SSL over the TCP pipe. But > special proxy server didn't really make the TCP connection that was > asked for -- it instead just waits for the SSL startup and acts as an > SSL server. Proxy claims to be the server asked for in the CONNECT. > Proxy uses its own SSL certificate, which is made-up, but signed by > the local CA. Client has been configured to trust that CA, so as far > as client is concerned, it thinks it has the real destination site. But the cn value in the presented certificate will not match the FQDN that the client initially connected to. So you'd get a name mismatch warning in the client browser. Cheers Ken So it sends the HTTP request over the SSL tunnel like it normally would. Proxy then opens an SSL client connection to the real destination, and passes the HTTP requests from the client on. I think that would work, at least for the common cases. It won't work if the real destination is using client certificates to authenticate the client. The proxy doesn't have the client's secret key and thus can't impersonate the client. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
