Tunneling through hostile proxy
Dave Howe
DaveHowe at gmx.co.uk
Tue Jul 23 14:18:56 PDT 2002
Ben Laurie wrote:
|| Errr - its tricky anyway, coz the cert has to match the final
|| destination, and, by definition almost, that can't be the proxy.
provided you can impose a CA cert onto the user browser (not hard in a
corporate environment) it isn't as if signing a certificate "on the fly"
is hard - consider the following
1. proxy has CA private key A and SSL public key B
2. client requests connect to SSL on xxx.yyy.zzz.com
3. proxy uses OpenSSL library to create certificate for xxx.yyy.zzz.com
on the fly (with Public key B) signed by CA key A
4. proxy opens SSL link to xxx.yyy.zzz.com
5. if step 4 succeeds, proxy sends cert to client
5. client checks cert against its own local copy of public key A (from
its root cert dir) which claims to be "thawte, inc"
6. client approves link and negotiates SSL with proxy
7. proxy links its connection to xxx.yyy.zzz.com to inbound client
connection
8. proxy passes (and logs) packets
More information about the cypherpunks-legacy
mailing list