I believe that many enterprises that do not allow an unbroken SSL connection
directly from the client throught the proxy/firewall to the remote server.
This is because security policy may allows/disallow certain MIME types in
the entity of the HTTP response. For this reason, SSL is "broken" at the
proxy, and reestablished with a seperate SSL session between the proxy and
the remote server. This is not quite as tansparent to the client, but still
fairly so. The proxy is much more complicated.
It is my understanding that this scheme is becoming the prevailing security
strategy in large corporations, gaining favor over transparent SSL pass
through. Am I wrong on this?
James Dabbs
James Dabbs
[EMAIL PROTECTED]
Director of Engineering
TGA Technologies, Inc.
Suite 140, 100 Pinnacle Way
Norcross, GA 30071
770-441-2100 ext 126
> -----Original Message-----
> From: Hansknecht, Deborah A [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, April 28, 2000 2:57 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: Proxy or Firewall
>
> A few comments included within...
>
> > -----Original Message-----
> > From: James Dabbs [mailto:[EMAIL PROTECTED]]
> > Sent: April 28, 2000 5:37 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Proxy or Firewall
>
> ..........deleted stuff........
>
> > HTTP over SSL, though, works transparently through almost any
> > proxy. This
> > is because the HTTP client knows that the proxy exists. It
> > sets an SSL
> > session up with the proxy, and tells the proxy to set up a
> > seperate SSL
> > session with the actual server. As long as requests are
> > initiated by the
> > client, everything is OK.
>
> Perhaps I missed some context in other messages that makes the above
> statements correct (and I am probably veering off-topic), but as written
> this is not true. HTTP works over SSL thru a proxy transparently because
> the
> client knows that a proxy exists, (that much is true) but it DOES NOT set
> up
> an SSL session. The client sends HTTPS via CONNECT which the proxy just
> passes on to the end server. Your standard HTTP proxy does not negotiate
> any
> SSL session with either client or server. (that is obvious if you remember
> that you do not need an SSL aware
> proxy - i.e. Apache with mod-ssl or Apache-SSL - if all you want to do is
> proxy HTTP or HTTPS requests.) If you are "reverse-proxying" then the
> proxy
> DOES negotiate separate SSL sessions with client and server, but that is
> an
> entirely different bucket of worms and the client browser doesn't even
> know
> that you are using a proxy.
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
