Hello,
I am trying to
solve a very peculiar problem. In my application, there are three
players:
1. Client - runs a
regular web browser.
2. Proxy - runs my
proxy application with OpenSSL 0.9.7c
3. Host - runs my
host application with OpenSSL 0.97c
Proxy accepts
connections from both the Client and the Host. Proxy has a real CA certificate,
therefore it is trusted by the Client and the Host. Host has an install-time
generated self-signed certificate that is registered on the Proxy upon the first
connection and verified upon subsequent ones.
Host connects to
Proxy and waits. Client connects to Proxy and wishes to talk to Host.
Client can verify
Proxy's identity, and by trusting Proxy it can also rely on Host's identity
being verified as Host needs to authenticate with a client certificate towards
Proxy.
Now Proxy can
shuffle data between Client and Host. The easy way to do it is by receiving data
from Client through its SSL channel, (effectively decrypting) it, and sending it
to Host (re-encrypting it) through Host's SSL channel. The response comes from
Host, it's decrypted/re-encrypted, and transmitted to
Client.
Proxy cannot
simply shuffle TCP traffic, obviously, because Client, being a standard browser,
does not trust Host's certificate - and even if it did, the CN would not
match.
The first question
is, is this cryptographically sound if we assume that Proxy has not fallen into
the wrong hands?
The second
question is, can this be improved? For example, can we get rid of the
decryption/re-encryption phase? Can I somehow manage to get both Host and
Client to negotiate the same cipher suite and session key? I have total control
over the code that runs on Proxy and Host, but Client can be any web
browser.
Please note that I
am just an ordinary SSL user and do not understand its internal workings to 100%
- so I apologize if the latter question is dumb.
Furthermore, if
someone were willing to consult me on this matter I would, of
course, be willing to pay appropirate compensation for their
time.
Thanks in
advance,
Marton
Anka
