On Thursday 01 September 2005 22:51, Toni Mueller wrote: > Hi, > > On Thu, 01.09.2005 at 19:29:57 +0200, Markus Wernig <[EMAIL PROTECTED]> wrote: > > Squid is different. Usually, it doesn't do SSL itself, but just passes > > the connection on. > > it does, however, talk SSL to the outside server. > Not normally. The standard HTTPS conversation from Squid's point of view is:
<client connects to proxy> <client sends>CONNECT www.openbsd.org:443 HTTP/1.1 <client sends>Host: www.openbsd.org:443 <squid connects to TCP port 443 of host www.openbsd.org> <squid sends>200 OK <squid sees data flowing through the tunnel, and has no idea what it is, or even if it's SSL> For all Squid knows, you're not using SSL at all; you could just be sending plain HTTP. You can confirm this by running a server on TCP port 443 that's not SSL (e.g. SSH, or even telnet); if you then go through the CONNECT malarky, you'll get through to the remote server despite the complete lack of SSL. Further, SSL is designed to stop a proxy in the middle from eavesdropping. If you manage to do so, you've broken SSL, and it's basically useless for most purposes (there is no technical difference between your "authorised" proxy sniffing the traffic to do good things like FTP proxying of FTP+SSL, and my unauthorised proxy sniffing the traffic to get your online banking details). There's only two ways to get FTP+SSL past a firewall that would otherwise filter it: 1) Drop firewalling for a range of ports used for FTP+SSL connections. For example, open 65000-65535 for incoming, and configure your endpoints to listen there (clients in the case of active FTP, servers in the case of passive). 2) Write a man-in-the-middle proxy, that talks FTP+SSL to the remote end, decrypts it, then talks FTP+SSL to the local end. The local end then needs to be configured to accept the proxy's certificate for everything, and can't validate the remote certificate (it has to trust the proxy to do that). Both are problematic, which is why SFTP was invented. -- Simon Farnsworth [demime 1.01d removed an attachment of type application/pgp-signature]
