Hi,
We have software product which allows for Clients (C) to communicate with
Agents (A) via a Proxy server (P). Client, Proxy and Agent all are part of our
product suite. The data transferred can even be in Gigabytes (which actually
are large files being transferred). Multiple client can communicate with
multiple agents via the same Proxy. All data transfer happens via SSL. Right
now, all data from coming from C is first decrypted at P and then encrypted
again before being written to P, since separate connections exist between C & P
and P & A, with separate SSL connections as well. This decryption/encryption at
P is making overall communication slow, and is putting too much CPU load on P.
To improve this situation, we plan to make P a sort of tunnel for data coming
from C to A and that coming from A to C. Here is the proposed process (similar
to a socks proxy):
1. TCP Connection and Handshake: C <==> P. Call this connection C1.
2. SSL Handshake: C <==> P.
3. Application level Handshake and authentication: C <==> P.
4. TCP Connection and Handshake: P <==> A. Call this connection C2. On
completion of this step C has successfully authenticated itself to P, and all
data coming from C is henceforth copied to A and vice-versa.
5. SSL Handshake: C <==> A. This handshake is between C and A. P just forwards
all data coming from C1 to C2. So C and A who will negotiate the communication
parameters between themselves including SSL cipher suite, etc.
6. Application Level Data Transfer: P just copies all data coming from C1 to C2
and vice-versa.
a. C => P => A (No encryption/decryption/interpretation – just plain copying of
all data).
b. A => P => C (No encryption/decryption/interpretation – just plain copying of
all data).
7. At some point, application Level Data Transfer Ends, and connections close.
I have two questions:
1. Do you foresee any problem/difficulties implementing this approach?
2. Is their a concern of man in the middle attack between step 4 and 5? If yes,
how can we overcome that - any pointers?
-Prabhat
PS: We are using openssl library, and this is security related question, that
is why I have asked this here. Please forgive me if you feel this post doesn't
belong here.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
