I am building a proxy server in C# and I am trying to figure out how to support HTTPS requests, and read through them. Can you suggest any articles, tutorials, or open source projects where I can learn more on how to implement this feature?
A:
If by "read through them" you mean "decrypt the contents of the request", the answer is "You can't". What you describe is a so called "man in the middle attack" (MITM). Obviously, SSL is protected from this.
Now, if you have control over the clients using your proxy (some kind of enterprise environment, or you are creating a competitor to Fiddler), you can subvert SSL by making clients trust your certificates, and then implement your MITM using standard .NET crypto APIs.
PS. For an exellent example of this approach, look at Fiddler with Reflector. :)
Better yet, just use Fiddler. www.fiddler2.com/fiddler/dev/
EricLaw -MSFT-
2009-08-23 14:55:14
It would be helpful if you described your exact needs. For instance, why are you writing a proxy instead of a comparably simpler browser extension?I'm not sure what "stats on how long the SSL connection too" means.
EricLaw -MSFT-
2009-08-25 01:59:04
There was a typo on the previous post "too" should be "took". I simply need to figure out the time it takes to establish SSL handshake with the server for HTTPS calls issued from objects rendered in the webrowsercontrol. Currently I am relying on the Passthrough App to get the time for each time component of the request, but the problem with that is that you cannot distinguish between the regular Connect time, and the SSL Handshake time. That's why I tried the proxy route, but that has the whole certificates issue. Maybe there is something obvious and simpler which I am not seeing.
webly
2009-08-25 02:43:08
Do you want to be able to monitor the SSL overhead in production, or you just want a number now? In the second case, can you simply measure the time for a call with and without SSL? (Then the difference will be the SSL overhead). In the first case I think you will have to write a lot of code (does .net even tell you how long did the SSL handshake take if you use HTTP classes? If it doesn't, it looks like you'll have to build your own HTTP layer over raw TCP)
2009-08-25 21:58:26