>is it possible to have an OpenSSL server located behind a Network Adress >Transalation device (a NET device is sometimes part of firewalls, eg >the Cisco PIX) and still have the client handshake complete without >error ?
Yes, you can use NAT devices quite easily since they really are just a simple form of proxy to your backend server. The server would still contain your designated DN within the certificate. As a side note: A problem that can occur with that scenario is load balancing. If your site performs heavy back-end dynamic processing you will need to research products that will help you in this regard. [snip] >One might do this because of outsourcing or merger activities that >result in a new or different firewall. One also does this to own/rent one Internet IP address only from your local ISP. This is also to prevent making multiple internal IP address available to the Internet. ;-) >Presumably the network between the NAT box and the OpenSSL server is >secure enough to be tolerablee. It wouldn't matter since the SSL connection was between the client and the server. You would still have encrypted data all the way through (unless your NAT device is capable of doing something like converting HTTPS to HTTP for your backend. Then you might worry... >So :- >1 Will the scenario above work ? Yes >2 If not, how can it be made to work ? >Thank you, Your Welcome, Rob ***************************************************************** DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
