hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Asankha C. Perera" <asan...@apache.org>
Subject Re: SSL and HTTPService
Date Sun, 20 Nov 2011 06:28:56 GMT
Hi Steve
> 1. one thing that I might have failed to mention is this proxy needs to be
> able to intercept and look at the request before it is being sent to the
> origin server. The whole idea behind this proxy is to be a security tool to
> be able to look and manipulate the request that has been sent by the
> browser before it gets sent to the origin server. Now having said that in
> this case wouldn't the proxy server need to establish an SSL handshake with
> the browser so that the browser will trust and send that encrypted request
> and your proxy will be able to decrypt the encrypted request?
The way SSL operates is that end to end the path would be secured from 
the client making the request to the actual endpoint its talking to. 
Hence, there is no possibility for the proxy to look at the actual 
request or manipulate it - as it violates the whole purpose of SSL.

I am not sure of your exact requirement - but for example if your 
clients are within an intranet wanting to talk to an external endpoint, 
maybe a compromise is that they "explicitly" talk to a well known proxy 
server over SSL (for security), which can then look at or manipulate the 
requests/responses and forward them to the external proxy again over 
*another* SSL connection. Is this acceptable?

cheers
asankha

-- 
Asankha C. Perera
AdroitLogic, http://adroitlogic.org

http://esbmagic.blogspot.com





---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message