Hi Vadim
I am sorry for portraying the problem vaguely.
I will make an attempt to clarify the problem -
The entire scenario -
Client -- Proxy Server - Proxy Client -- Backend Server
Proxy Server and Proxy Client are on the same M/C and hence no SSL
communication between them. Data transfer through IPC.
Localized Scenario : Client -- Proxy Server
1. Client has CA signed certificate, call it "CLIENT CERT".
2. Client's Public Key is tightly coupled with "CLIENT CERT"
3. This public key will be used in establishing SSL connection
with the Proxy Server.
4. Proxy Server could extract the "CLIENT CERT", say to a file.
The file would be available for the Proxy Client (since both
would be on the same m/c).
Localized Scenario : Proxy Client -- Backend Server
5. The requirement is, Proxy Client should be presenting
"CLIENT CERT" to the backend server.
My doubt is, as a certificate is tightly coupled with a Public Key, how
could the Proxy Client use "CLIENT CERT" (that has client's public key) in
its communication with the backend server (using SSL).
I referred to Stronghold HTTP server as, in their website they offer
two options, 1. to tunnel the "CLIENT CERT" to the backend server
2. to present a "PROXY CLIENT CERT" for proxy client -- backend
server scenario.
My requirement is to develop this functionality not for a particular
protocol, but generically.
Sorry for the confusion. I hope, I had been clearer than earlier.
with thanks and regards,
rsr.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Vadim Fedukovich
Sent: Monday, January 20, 2003 2:13 PM
To: [EMAIL PROTECTED]
Subject: Re: Proxy'ing client certs
On Mon, Jan 20, 2003 at 12:20:43PM +0530, Chandrasekhar R S wrote:
> I have already posted the following on the lists under "Proxy'ing client
> certs" thread.
> Could not see the posting, hence re-posting.
> -----------------------------------------------------------------
> My understanding had been the following :
>
> Client ---- Proxy Server -- Proxy Client ----
> Server
> produces a consumes presents a
Can
> only recv
> CA signed the ProxyClient Cert
> ProxyClient Cert
> Client Cert Client Cert
>
> "ProxyClient Cert" is not the same as "Client Cert".
>
> Though the Proxy Server is in receipt of the "Client Cert", it
> cannot represent the same in the SSL connection between
> "ProxyClient - Server". The requirement is to make the Proxy
> faithfully forward the "Client Cert" to the "Server".
It's hard for me to see how this could fit SSL and HTTP protocols, sorry.
Someone else might be lucky here
"consume certificate" probably means "engage in a protocol to prove
the name certified". It's still open question what protocol both do the job
and is implemented by popular browsers.
Hope you could hit your target with other tools like passord-based
proxy access or maybe proxy access controlled by IPSec
> Vadim, suggested that "CONNECT method of HTTP can be
> used to setup TCP connections first and run SSL next. Proxy
> could forward SSL traffic".
>
> It had been difficult to understand the solution. It seems to me that
> we need to set up a TCP connection via the proxy server first and add
> SSL to it later. I am not aware of how to do this.
There was a document by Ari Luotonen; just found it at (single line!)
http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-t
unneling-01.txt
It describes the method how a proxy could handle HTTPS requests
Please note HTTP details might be off-topic for this list
hope this helps,
Vadim Fedukovich
consulting and software development
>
> Could one help me further.
>
> Namaste,
> R S Chandrasekhar
> [EMAIL PROTECTED]
> ISD : 091-080-2051166
> Telnet : 847-1166
> Phone : 2052427
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
