Article delegate-en/1497 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A1495@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: HTTPS -> HTTP -> virus-checking ->HTTP -> HTTPS
21 Jan 2002 22:05:47 GMT Tobias Geis <p2acqbdyi-q4vsjhq7qrvr.ml@ml.delegate.org>
Privat


Hi,
first of all thanks for your help.

But it still does not work like I want. :-(

I need a configuration like the following:

+--------+   +----------+   +----------+   +----------+   +---------+
|Client  |***|Delegate 1|---|Viruscheck|---|Delegate 2|***|Server   |
|PubKey A|   |PrivKey A |   |  Proxy   |   |PubKey B  |   |PrivKey B|
+--------+   +----------+   +----------+   +----------+   +---------+


  *** HTTPS
  --- HTTP
  +-+
  | | Hardware-box
  +-+

So I have to run two Delegates on Linux systems.
It works fine when Delegate 1 AND 2 has the same certificates and keys
(server-cert.pem and server-key.pem) like the Apache HTTPS server.

But in the "real" world I do not know the servers private key.

I do not kown how to solve this problem.
Your software is the first one I think it would give me the ability to 
solve my problem.

I hope I do not get on your nerves and you can give me some tips. :-)

Ciao
Tobias

P.S.: I am using your current alpha version with the patch you sent me.




Yutaka Sato wrote:

> On 01/18/02(05:07) you Tobias Geis <p2acqbdyi-q4vsjhq7qrvr.ml@ml.delegate.org> wrote
> in <_A1494@delegate-en.ML_>
>  |>  |how do i configure delegate to do:
>  |>  |HTTPS-Server -> HTTP -> virus-checking ->HTTP -> HTTPS-Client
>  |>  |
>  |>  |I want delegate to decrypt HTTPS for virus-checking and encrypt the checked
>  |>  |data for the HTTPS-Client.
>  |> 
>  |> It's depends how the "virus-checking" works, as a HTTP proxy, or
>  |> a filter program, or else?
>  |
>  |We have programs which work as a HTTP proxy and programs with filters.
>  |Is there an big different between the configuration ?
> 
> I suppose you need to connect to arbitrary HTTPS servers via a
> HTTP proxy (with virus checking).  So you will use the HTTP proxy
> as a "SSL tunneling" proxy, which is usually named "security proxy",
> "secure proxy", "SSL proxy", and so on in browsers' configuration
> menus.
> A HTTP proxy doing SSL tunneling just transparently relays connection
> between client and server, after connected by CONNECT method on HTTP,
> it never treats URL like "https://...".
> So relaying "https:" request with bare HTTP content, possibly
> decoded by DeleGate, might not be relayed at some proxies.
> Thus if you can use your virus-checking program as a filter program
> attached to DeleGate, it will be less troublesome.
> 
>  |I know that i have to work with FCL/FSV sslway filter, the keys and 
>  |certificates, but i do not realy know how to use the parameters.
> 
> As long as I remember, no one asked using SSLway with SSL tunneling,
> thus it has not been supported yet.  It will be configured like this:
> 
>        (SSL tunneling)
>        CONNECT/HTTP+HTTPS  <-------- HTTP ------------->   HTTPS
> 
> client *****************       +----DeleGate----+         ******** server
>                        *       |                |         *
>                        *       |                |         *
>                        FCL=sslway      FFROMSV=vchk ---- FSV=sslway
> 
> To make this work, SSL encryption in SSL tunneling must be supported
> in SSLway, like the enclosed patch, which will be activated with "-st"
> option.  The necessary parameters will be like this:
> 
>   FCL="sslway -st"
>   FSV=sslway
>   FFROMSV=your-virus-checking-program
> 
> Your virus-checking program must be a filter program which read
> HTTP response message from standard input and write to standard output.
> 
> Cheers,
> Yutaka
> --
>   @ @ Yutaka Sato <y.sato@delegate.org> http://www.delegate.org/y.sato/
>  ( - ) National Institute of Advanced Industrial Science and Technology (AIST)
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> 
> *** ../delegate7.8.1/filters/sslway.c	Tue Nov 20 08:04:24 2001
> --- sslway.c	Fri Jan 18 15:21:06 2002
> ***************
> *** 658,663 ****
> --- 658,670 ----
>   			break;
>   		}
>   
> + 		/* HTTP */
> + 		if( strcasecmp(com,"CONNECT") == 0 ){
> + 			if( proto == 0 ){
> + 				proto = "http";
> + 			}
> + 		}
> + 
>   		if( do_accSTLS == 2 ){
>   			ERROR("STARTTLS required");
>   			if( proto != 0 && strcasecmp(proto,"IMAP") == 0 )
> ***************
> *** 692,697 ****
> --- 699,712 ----
>   		if( fgets(buf,sizeof(buf),fs) == NULL )
>   			return -1;
>   		fputs(buf,tc);
> + 		}
> + 		/* HTTP */
> + 		if( proto != NULL && streq(proto,"http") ){
> + 			if( buf[0] == '\r' || buf[1] == '\n' ){
> + 				ERROR("STARTTLS prologue: S-C HTTP-CONNECT DONE");
> + 				fflush(tc);
> + 				break;
> + 			}
>   		}
>   		if( dp = strpbrk(buf,"\r\n") )
>   			*dp = 0;
> 
> 
> 




  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V