tags:

views:

416

answers:

4
+1  Q: 

HTTPS connections over proxy servers

Is it possible to have HTTPS connections over proxy servers? If yes, what kind of proxy server allows this?

A: 

TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies. Nevertheless, you could use the following hack:

  1. Client starts HTTPS session
  2. Proxy intercepts the call and returns an ad-hoc generated(possibly weak) certificate Ka, signed by a certificate authority that is unconditionally trusted by the client.
  3. Proxy starts HTTPS session to target
  4. Proxy verifies integrity of SSL certificate; displays error if the cert is not valid.
  5. Proxy streams content, decrypts it and re-encrypts it with Ka
  6. Client displays stuff

I think I heard of a solution implementing this. Unfortunately, I can't remember its name.

phihag  2009-02-05 15:34:49
This could work in principle, but that's not the way browsers talk to HTTP proxies for HTTPS requests. The way it's described here implies that the proxy server is effectively a Man-In-The-Middle (so would have to be trusted accordingly).
Bruno  2010-07-06 12:32:30
http://www.oxid.it/cain.html
George Tsiokos  2010-07-06 21:04:10
+1  A: 

as far as i can remember, you need to use a HTTP CONNECT query on the proxy. this will the convert the request connection to a transparent TCP/IP tunnel.

so you need to know if the proxy server you use support this protocol.

chburd  2009-02-05 15:56:07
Indeed, clients use the CONNECT verb to use https:// URIs via HTTP proxy servers. In this case, the connection is tunnelled through the proxy, so the certificate verification is done as usual, as if the client was talking directly to the end server.
Bruno  2010-07-06 12:30:52
A: 

What if we assume that the client doesn't validate the proxy's certificate? (He only trusts the server's certificate). Is it possible then to communicate with the server on https if the client has a valid proxy set?

 2009-02-05 16:02:32
You should've edited your question. By answering, nobody saw it. Answer's yes.
phihag  2009-03-27 01:11:27
A: 

If it's still of interest, here is an answer to a similar question: http://stackoverflow.com/questions/3118602/convert-http-proxy-to-https-proxy-in-twisted/3186044#3186044

To answer the second part of the question:

If yes, what kind of proxy server allows this?

Out of the box, most proxy servers will be configured to allow HTTPS connections only to port 443, so https URIs with custom ports wouldn't work. This is generally configurable, depending on the proxy server. Squid and TinyProxy support this, for example.

Bruno  2010-07-06 12:35:02

related questions

How would you implement a secure static login credentials system in Java?
Blocking https url's in a embedded gecko browser
Restrict Apache to only allow access using SSL for some directories
How to put up an off-the-shelf https to http gateway?
Rails SSL Requirement plugin -- shouldn't it check to see if you're in production mode before redirecting to https?
What's the best way to learn server RESTful code?
Force HTTPS. How is it possible?
How can I get LWP to validate SSL server certificates?
What must I do to make content such as images served over HTTPS be cached client-side?
What does a PHP developer need to know about https / secure socket layer connections?
What's a clean/simple way to ensure the security of a page?
Making sure a web page is not cached, across all browsers.
Best way in asp.net to force https for an entire site?
Any way to handle Put and Delete verbs in ASP.Net MVC?
Response.Redirect with POST instead of Get?
How to get the correct Content-Length for a POST request.
IIS7: HTTP->HTTPS Cleanly
[ASP.NET ERROR] The request was aborted: Could not create SSL/TLS secure channel.
Testing HTTPS files with MAMP
How do banks remember "your computer"?
Avoid traffic shaping by using ssh on port 443
Convince Firefox to send an If-Modified-Since header over HTTPS
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
Options for Google Maps over SSL