Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A4F7A9109 for ; Mon, 28 May 2012 20:03:12 +0000 (UTC) Received: (qmail 91640 invoked by uid 500); 28 May 2012 20:03:11 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 91562 invoked by uid 500); 28 May 2012 20:03:11 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 91553 invoked by uid 99); 28 May 2012 20:03:11 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 May 2012 20:03:11 +0000 X-ASF-Spam-Status: No, hits=2.8 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS,URIBL_BLACK X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of covener@gmail.com designates 209.85.217.173 as permitted sender) Received: from [209.85.217.173] (HELO mail-lb0-f173.google.com) (209.85.217.173) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 May 2012 20:03:05 +0000 Received: by lbok6 with SMTP id k6so2819812lbo.18 for ; Mon, 28 May 2012 13:02:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=P5y3Wy2zjnwz48YCphLe0uZr7o7LrzxlvAtkvOLnAzs=; b=oLUG9IdArD3YcjX55pGL+8rqfBaVQrS45B81tlRuryUCNBuKywAEWuH9/DcNKrTBdz +A8h5zpjpWPyBXlBxo4tVQ2hbeP6AYRiBAZ23EF9K9a0O5NoilfVlBUaqk+U35M62QMF 8fpSwqN+JM4a0zbJOXufgDca4TuDOswM+n4ziONKGtEMxZu3pyl7NIFEhTUI8g4y+zZe U3n9joMiz9WMD8B0LQaTAcdKLxLBwd8qPZppD93leg5XjWbCTm79gXP4+zaDe2i8b1Dl AvUe+JCbTBlrtMD0IGXDmIf9jkLDFpaDJu/kVphYTl04LebWU20tOWEYN95mepDZF6NE TpLA== MIME-Version: 1.0 Received: by 10.152.122.9 with SMTP id lo9mr6669246lab.41.1338235364708; Mon, 28 May 2012 13:02:44 -0700 (PDT) Received: by 10.112.1.35 with HTTP; Mon, 28 May 2012 13:02:44 -0700 (PDT) In-Reply-To: <1596659.yLNDsHBpAc@estarola> References: <1596659.yLNDsHBpAc@estarola> Date: Mon, 28 May 2012 16:02:44 -0400 Message-ID: Subject: Re: Apache proxy sending client certificate on behalf of the client From: Eric Covener To: dev@httpd.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Mon, May 28, 2012 at 3:53 PM, Duarte Silva wrote: > Hi all, > > I know this should be imposssible ("sounds" to me like a MITM), but bare = with > me for a second and please tell me if this is in any way possible: > > Client (HTTPS request) -> Apache (Forward Proxy) -> Server (HTTPS) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0\___________________/ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 \/ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Sends the client certificate on behalf of > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 the client > > > Note that the client is able to create SSL connections but it is not able= to > send client certificate. Since the Apache is the one openning the connect= ion > to the end Server, isn't there a way to force Apache to send a specific c= lient > cert (the handshake is done in the Client even though the server is? > > If it isn't, is there any alternatives that do this? Maybe if it was a > transparent proxy? > http://httpd.apache.org/userslist.html