Re: [lopsa-discuss] Certificate confusion - Summary

Fri, 10 Oct 2014 09:07:41 -0700 

Hi,
Thanks to everyone for their explanation of what is going on. I really appreciate it. To summarize: 


Q: I was wondering why I needed to use a self signed cert on by iBoss 
web filter instead of my wildcard cert?


I had several answers, but I like the one from Robert Lanning the best:

1) Transparent
2) SOCKS
3) Web proxy, where HTTPS is handled by a CONNECT request

1 and 3 are the most common now days.


The certificate check in all cases are the final destination 
certificate.  There is no "Proxy Certificate".



In transparent mode, the TCP SYN is intercepted and the proxy sends its 
own.  It retrieves the certificate from the server and generates its own 
version. It then fakes being the server back to the client, using its 
version of the certificate. It just swaps the public key with its own 
and resigns the certificate with its own CA's private key.  It then 
retrieves the request from the client and duplicates it to the server 
(if policy allows) and is then able to scan the content coming from the 
server.



With SOCKS you are basically intercepting the socket() call instead of 
intercepting the packets, but at the high level you are doing the same 
as the transparent proxy.



Web proxies are just implemented even higher in the stack.  Instead of 
intercepting the socket() call, the application talks directly with the 
proxy.  In the case of SSL traffic, it asks the proxy to make a blind 
connection (CONNECT proxy request) and pass the data unhindered.  Of 
course the proxy can interfere with the connection and swap out the 
certificate and lie about the connection.


In all cases the client must have the CA certificate of the proxy.

cheers,

ski

--
"When we try to pick out anything by itself, we find it
  connected to the entire universe"            John Muir

Chris "Ski" Kacoroski, [email protected], 206-501-9803
or ski98033 on most IM services
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/






















					Reply via email to