Return-Path: <ROLWEBER@de.ibm.com>
Mailing-List: contact commons-httpclient-dev-help@jakarta.apache.org;
 run by ezmlm
Delivered-To: mailing list commons-httpclient-dev@jakarta.apache.org
Received: (qmail 55628 invoked from network); 6 Aug 2003 09:07:59 -0000
Received: from d12lmsgate-2.de.ibm.com (194.196.100.235)
  by daedalus.apache.org with SMTP; 6 Aug 2003 09:07:59 -0000
Received: from d12relay01.megacenter.de.ibm.com
 (d12relay01.megacenter.de.ibm.com [9.149.165.180])
	by d12lmsgate-2.de.ibm.com (8.12.9/8.12.8) with ESMTP id h7698B7o183958
	for <commons-httpclient-dev@jakarta.apache.org>;
 Wed, 6 Aug 2003 11:08:11 +0200
Received: from d12ml020.de.ibm.com (d12av02.megacenter.de.ibm.com
 [9.149.165.228])
	by d12relay01.megacenter.de.ibm.com (8.12.9/NCO/VER6.5) with ESMTP id
 h7698Af5211740
	for <commons-httpclient-dev@jakarta.apache.org>;
 Wed, 6 Aug 2003 11:08:10 +0200
In-Reply-To: <3F30B5E1.5040506@netcologne.de>
To: "Commons HttpClient Project" <commons-httpclient-dev@jakarta.apache.org>
MIME-Version: 1.0
Subject: Re: AW: Proxied SSL connection
X-Mailer: Lotus Notes Release 6.0 September 26, 2002
From: "Roland Weber" <ROLWEBER@de.ibm.com>
Message-ID: 
 <OF677AB88F.1CBEF1D4-ONC1256D7A.002D100F-C1256D7A.00324A15@de.ibm.com>
Date: Wed, 6 Aug 2003 11:08:08 +0200
X-MIMETrack: Serialize by Router on D12ML020/12/M/IBM(Release 5.0.9a |January
 7, 2002) at
 06/08/2003 11:08:10,
	Serialize complete at 06/08/2003 11:08:10
Content-Type: multipart/alternative;
 boundary="=_alternative 002E696DC1256D7A_="
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

--=_alternative 002E696DC1256D7A_=
Content-Type: text/plain; charset="US-ASCII"

Hello Christian,

It depends on what you want to do. SSL is meant to
establish a secure end-to-end connection, and the both
ends are *usually* the client and the backend server.

I wouldn't rule out the possibility to connect to the
proxy using SSL. But this will only secure the connection
to the proxy, not to the backend server. It just doesn't
make sense to secure the first hop of the connection
and let the secured data be transferred unprotected
from there on.

You could use the secure connection to the proxy to
establish a tunnel to the backend server and run SSL
through that tunnel as well. But this would mean the
client has to encrypt data twice, without adding to
the security of the overall connection, since the SSL
tunnel to the backend alone will protect the data all
the way.

I think Oleg is right calling it an *unusual* setup if
the SSL security ends at the proxy.

regards,
  Roland




[...]

AFAIK, what Oleg describes is not only the conventional, but the 
official (and possibly only) way to do SSL through a proxy. I recently 
read up on the details (e.g., see 
http://muffin.doit.org/docs/rfc/tunneling_ssl.html), and found that 
tunneling is probably the only way to do it.

regards
Christian


--=_alternative 002E696DC1256D7A_=--