On Mon, Feb 10, 2003 at 10:02:30AM +0530, Chandrasekhar R S wrote: > It seems I have not explained myself ably. > > I completly understand that Private Keys should and would never be sent > across. > > But assume that you are going through a proxy using SSL. And the proxy has > no capability to verify the certs. That capablity is vested with a server > that sits behind the proxy(I call it the Backend server). > > Now all I want is to get the cert presented by the client, to be passed on > by the proxy, to the backend server. > > Usually prox'ies, replicate a connection they receive. ie., they will > initiate a new connection to the Backend Server, for every connection they > receive from the client. Thus we have two seperate SSL connections between > the client and the backend server. One from client to the proxy and the > other from proxy to the backend server.
Do do that, proxy should prove to client that Common Name of it's SSL server certificate is host part of URL client is trying to connect to. > In succint, the question is how to use the cert presented by the client in > the SSL connection between proxy and the backend server. > > thanks to all of you, > rsr. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Helm > Sent: Monday, February 10, 2003 1:55 AM > To: [EMAIL PROTECTED] > Subject: Re: Tunneling Client Certs > > > > > I have the following scenario - > > > > > > Client Cert -- Tunnel Server - Tunnel Client -- Backend server. > > > > > > The requirement is to pass the Client Cert to the Backend server. > > > If you could do that then anyone who had access to a certificate > > (for example the recipent of signed email) could impersonate the sender or > > You may want to look at how Globus deals with a similar problem > for grids; see: > http://www-fp.globus.org/security/ > and > http://www.ietf.org/internet-drafts/draft-ietf-pkix-proxy-03.txt > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
