On Mon, Feb 10, 2003, Chandrasekhar R S wrote: > It seems I have not explained myself ably. > > I completly understand that Private Keys should and would never be sent > across. > > But assume that you are going through a proxy using SSL. And the proxy has > no capability to verify the certs. That capablity is vested with a server > that sits behind the proxy(I call it the Backend server). > > Now all I want is to get the cert presented by the client, to be passed on > by the proxy, to the backend server. > > Usually prox'ies, replicate a connection they receive. ie., they will > initiate a new connection to the Backend Server, for every connection they > receive from the client. Thus we have two seperate SSL connections between > the client and the backend server. One from client to the proxy and the > other from proxy to the backend server. > > In succint, the question is how to use the cert presented by the client in > the SSL connection between proxy and the backend server. >
You cannot do this with directly with standard SSL/TLS because the data signed by the client for its CertificateVerify message (which proves the client has the private key corresponding to the certificate it presented) is the hash (well two hashes using MD5 and SHA1 for RSA keys) of the handshake messages up to that point. This means that the hashes which the client signs which consists of the handshake between the client and proxy will typically not match those between the proxy and the backend server. This is to stop MITM attacks. Why so you need to use two separate SSL connections BTW? Is there some reason the proxy can't send the messages verbatim from the client to the backend server and copy those from the backend server to the client? Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
