Florian Weimer wrote, On 2007-12-07 02:54:
> Is it possible to configure NSS (or, more precisely, Firefox) to
> terminate SSL connections on the web proxy, so that the proxy receives
> requests in the clear (and handles the certificate verification)?
I think, but am not certain, that you're describing something like this:
Intranet public Internet
[browser]----------[proxy]---------------------[server]
plain SSL
and you're asking if the browser can be configured so that when it
attempts to fetch an https URL, it does not use SSL itself, but sends
the request unencrypted as an http request to a proxy on the client's
side of the Internet, and SSL is used between the proxy and the server,
but not between the browser and the proxy.
If that's what you're asking, the answer is: no. The browser cannot be
configured to fetch an https URL without using SSL itself.
You might be asking about either of these alternatives, both of which
assume that the browser is attempting to fetch an https URL:
1. The Man-In-The-Middle proxy
Intranet public Internet
[browser]----------[proxy]---------------------[server]
SSL SSL
In this picture, the browser is using SSL to talk to the proxy, and
the proxy is using SSL to talk to the server. The SSL is not
"end to end". The proxy decrypts everything coming in one side and
encrypts it before sending it outside the other. This is called a
"Man In The Middle" (as I'm sure you know). It is possible to
configure a browser to work with such a proxy, by configuring the
browser to accept certificates from a pseudo-CA that operates in the
proxy. In the absence of such configuration, the browser should be able
to detect all attempts to do this, as being attacks on the secure
communications. (I'm sure you know this.)
2. The Server Side Proxy (a.k.a., Reverse Proxy)
Public Internet Intranet
[browser]---------------------[proxy]----------[server]
SSL plain
Here the proxy acts as the server, as seen by the Internet. The browser
connects to the proxy via https with SSL, and the proxy sends the
request on to the true "back end" server as an ordinary http request, in
plain text, unencrypted. This sort of thing happens all the time, and
requires no special browser configuration. The browser simply thinks
that the proxy is the server in the https URL, and contacts it normally
with SSL.
If you're asking about something else, please explain.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
