Article delegate-en/1495 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A1494@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: HTTPS -> HTTP -> virus-checking ->HTTP -> HTTPS
18 Jan 2002 07:06:11 GMT feedback@delegate.org (Yutaka Sato)


On 01/18/02(05:07) you Tobias Geis <p2acqbdyi-6cvkctf3sbnr.ml@ml.delegate.org> wrote
in <_A1494@delegate-en.ML_>
 |>  |how do i configure delegate to do:
 |>  |HTTPS-Server -> HTTP -> virus-checking ->HTTP -> HTTPS-Client
 |>  |
 |>  |I want delegate to decrypt HTTPS for virus-checking and encrypt the checked
 |>  |data for the HTTPS-Client.
 |> 
 |> It's depends how the "virus-checking" works, as a HTTP proxy, or
 |> a filter program, or else?
 |
 |We have programs which work as a HTTP proxy and programs with filters.
 |Is there an big different between the configuration ?

I suppose you need to connect to arbitrary HTTPS servers via a
HTTP proxy (with virus checking).  So you will use the HTTP proxy
as a "SSL tunneling" proxy, which is usually named "security proxy",
"secure proxy", "SSL proxy", and so on in browsers' configuration
menus.
A HTTP proxy doing SSL tunneling just transparently relays connection
between client and server, after connected by CONNECT method on HTTP,
it never treats URL like "https://...".
So relaying "https:" request with bare HTTP content, possibly
decoded by DeleGate, might not be relayed at some proxies.
Thus if you can use your virus-checking program as a filter program
attached to DeleGate, it will be less troublesome.

 |I know that i have to work with FCL/FSV sslway filter, the keys and 
 |certificates, but i do not realy know how to use the parameters.

As long as I remember, no one asked using SSLway with SSL tunneling,
thus it has not been supported yet.  It will be configured like this:

       (SSL tunneling)
       CONNECT/HTTP+HTTPS  <-------- HTTP ------------->   HTTPS

client *****************       +----DeleGate----+         ******** server
                       *       |                |         *
                       *       |                |         *
                       FCL=sslway      FFROMSV=vchk ---- FSV=sslway

To make this work, SSL encryption in SSL tunneling must be supported
in SSLway, like the enclosed patch, which will be activated with "-st"
option.  The necessary parameters will be like this:

  FCL="sslway -st"
  FSV=sslway
  FFROMSV=your-virus-checking-program

Your virus-checking program must be a filter program which read
HTTP response message from standard input and write to standard output.

Cheers,
Yutaka
--
  @ @ Yutaka Sato <y.sato@delegate.org> http://www.delegate.org/y.sato/
 ( - ) National Institute of Advanced Industrial Science and Technology (AIST)
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan

*** ../delegate7.8.1/filters/sslway.c	Tue Nov 20 08:04:24 2001
--- sslway.c	Fri Jan 18 15:21:06 2002
***************
*** 658,663 ****
--- 658,670 ----
  			break;
  		}
  
+ 		/* HTTP */
+ 		if( strcasecmp(com,"CONNECT") == 0 ){
+ 			if( proto == 0 ){
+ 				proto = "http";
+ 			}
+ 		}
+ 
  		if( do_accSTLS == 2 ){
  			ERROR("STARTTLS required");
  			if( proto != 0 && strcasecmp(proto,"IMAP") == 0 )
***************
*** 692,697 ****
--- 699,712 ----
  		if( fgets(buf,sizeof(buf),fs) == NULL )
  			return -1;
  		fputs(buf,tc);
+ 		}
+ 		/* HTTP */
+ 		if( proto != NULL && streq(proto,"http") ){
+ 			if( buf[0] == '\r' || buf[1] == '\n' ){
+ 				ERROR("STARTTLS prologue: S-C HTTP-CONNECT DONE");
+ 				fflush(tc);
+ 				break;
+ 			}
  		}
  		if( dp = strpbrk(buf,"\r\n") )
  			*dp = 0;

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V