On 1/30/08, Ben Scott <[EMAIL PROTECTED]> wrote: > On Jan 30, 2008 11:10 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote: > > But the cn value in the presented certificate will not > > match the FQDN that the client initially connected to. > > Why wouldn't it? The proxy has the CA key and can make up new > certificates all day long, each one with the right CN/DN to match what > the client requested in the HTTP proxy CONNECT method. > > -- Ben
After thinking about this for a couple of hours (and without having looked at documentation at all yet - we're just sitting down today/tomorrow with the VAR to unbox things, and start the implementation), I want to qualify my statement a bit. The Sidewinder *does* show in its configuration an option to examine SSL traffic. However, I don't know for what purpose, or under what circumstances. It's entirely possible that it's only meant as a proxy for a web server sitting in a DMZ that it's protecting. This is a far less onerous task, since the cert is under control of the site that runs the firewall. However, if someone wants to remind me next week, after I've had a chance to breathe a moment, I'll be very happy to delve into the docs and see what I can find. Kurt ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
