Hi Chandrasekhar, On Wed, Jan 22, 2003 at 11:20:58AM +0530, Chandrasekhar R S wrote: > Hi Vadim > I am sorry for portraying the problem vaguely. > > I will make an attempt to clarify the problem - > > The entire scenario - > > Client -- Proxy Server - Proxy Client -- Backend Server > > Proxy Server and Proxy Client are on the same M/C and hence no SSL > communication between them. Data transfer through IPC. > > Localized Scenario : Client -- Proxy Server > 1. Client has CA signed certificate, call it "CLIENT CERT". > 2. Client's Public Key is tightly coupled with "CLIENT CERT"
You likely mean private key here > 3. This public key will be used in establishing SSL connection > with the Proxy Server. to establish SSL connection with the proxy, SSL server sertificate and private key is required. It is not required to do Connect method of HTTP. > 4. Proxy Server could extract the "CLIENT CERT", say to a file. > The file would be available for the Proxy Client (since both > would be on the same m/c). I should say it again: yes, SSL client certificate is available for "Proxy Client" at this point. One could print it or something. However, it needs the corresponding private key to run SSL protocol pretending to be the client. > Localized Scenario : Proxy Client -- Backend Server > 5. The requirement is, Proxy Client should be presenting > "CLIENT CERT" to the backend server. Yes, it can "present" it somehow > My doubt is, as a certificate is tightly coupled with a Public Key, how > could the Proxy Client use "CLIENT CERT" (that has client's public key) in > its communication with the backend server (using SSL). Please remember SSL had well-defined protocol design goals, including handling man-in-the-middle > I referred to Stronghold HTTP server as, in their website they offer > two options, 1. to tunnel the "CLIENT CERT" to the backend server > 2. to present a "PROXY CLIENT CERT" for proxy client -- backend > server scenario. I'd prefer to keep talking about well-known protocols and business requirements. Would Connect method of HTTP deliver functions wanted? > My requirement is to develop this functionality not for a particular > protocol, but generically. Any chance to tune mod_ssl or apache-ssl to do the job? > Sorry for the confusion. I hope, I had been clearer than earlier. > > with thanks and regards, > rsr. best wishes, Vadim Fedukovich consulting and software development > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Vadim Fedukovich > Sent: Monday, January 20, 2003 2:13 PM > To: [EMAIL PROTECTED] > Subject: Re: Proxy'ing client certs > > > On Mon, Jan 20, 2003 at 12:20:43PM +0530, Chandrasekhar R S wrote: > > I have already posted the following on the lists under "Proxy'ing client > > certs" thread. > > Could not see the posting, hence re-posting. > > ----------------------------------------------------------------- > > My understanding had been the following : > > > > Client ---- Proxy Server -- Proxy Client ---- > > Server > > produces a consumes presents a > Can > > only recv > > CA signed the ProxyClient Cert > > ProxyClient Cert > > Client Cert Client Cert > > > > "ProxyClient Cert" is not the same as "Client Cert". > > > > Though the Proxy Server is in receipt of the "Client Cert", it > > cannot represent the same in the SSL connection between > > "ProxyClient - Server". The requirement is to make the Proxy > > faithfully forward the "Client Cert" to the "Server". > > It's hard for me to see how this could fit SSL and HTTP protocols, sorry. > Someone else might be lucky here > > "consume certificate" probably means "engage in a protocol to prove > the name certified". It's still open question what protocol both do the job > and is implemented by popular browsers. > > Hope you could hit your target with other tools like passord-based > proxy access or maybe proxy access controlled by IPSec > > > Vadim, suggested that "CONNECT method of HTTP can be > > used to setup TCP connections first and run SSL next. Proxy > > could forward SSL traffic". > > > > It had been difficult to understand the solution. It seems to me that > > we need to set up a TCP connection via the proxy server first and add > > SSL to it later. I am not aware of how to do this. > > There was a document by Ari Luotonen; just found it at (single line!) > http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-t > unneling-01.txt > It describes the method how a proxy could handle HTTPS requests > > Please note HTTP details might be off-topic for this list > > hope this helps, > Vadim Fedukovich > consulting and software development > > > > > Could one help me further. > > > > Namaste, > > R S Chandrasekhar > > [EMAIL PROTECTED] > > ISD : 091-080-2051166 > > Telnet : 847-1166 > > Phone : 2052427 > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
