hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roland Weber" <ROLWE...@de.ibm.com>
Subject Re: AW: Proxied SSL connection
Date Wed, 06 Aug 2003 09:08:08 GMT
Hello Christian,

It depends on what you want to do. SSL is meant to
establish a secure end-to-end connection, and the both
ends are *usually* the client and the backend server.

I wouldn't rule out the possibility to connect to the
proxy using SSL. But this will only secure the connection
to the proxy, not to the backend server. It just doesn't
make sense to secure the first hop of the connection
and let the secured data be transferred unprotected
from there on.

You could use the secure connection to the proxy to
establish a tunnel to the backend server and run SSL
through that tunnel as well. But this would mean the
client has to encrypt data twice, without adding to
the security of the overall connection, since the SSL
tunnel to the backend alone will protect the data all
the way.

I think Oleg is right calling it an *unusual* setup if
the SSL security ends at the proxy.



AFAIK, what Oleg describes is not only the conventional, but the 
official (and possibly only) way to do SSL through a proxy. I recently 
read up on the details (e.g., see 
http://muffin.doit.org/docs/rfc/tunneling_ssl.html), and found that 
tunneling is probably the only way to do it.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message