James Dabbs <[EMAIL PROTECTED]>:
> I believe that many enterprises that do not allow an unbroken SSL
> connection directly from the client throught the proxy/firewall to
> the remote server. [...] SSL is "broken" at the proxy, and
> reestablished with a seperate SSL session between the proxy and the
> remote server. This is not quite as tansparent to the client, but
> still fairly so. The proxy is much more complicated.
>
> It is my understanding that this scheme is becoming the prevailing security
> strategy in large corporations, gaining favor over transparent SSL pass
> through. Am I wrong on this?
Which corporations do use this strategy? What proxy products of this
kind exist?
It's true that direct connections will often be impossible because
there's no internet route between the inside and the outside;
but then SOCKS or HTTP security proxies ("CONNECT ...") can be
used to let the client establish a proxied connection to the remote
host. In these scenarios the proxies *could* intercept the connections
(a man-in-the-middle attack, basically) if they fake server certificates
by acting as a CA of there own, where the CA certificate has been
installed into all the internal SSL clients. This is how products
like SafePassage work, but they are supposed to run on the local machine,
and their main purpose is to allow superior ciphersuites.
I haven't yet heard of similar programs that are meant for firewall
proxies.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
