Oh! I totally misunderstood this. I thought OP wanted to MITM SSL sessions (which is possible, if (a) the traffic is decrypted, (b) certs are reissued and resigned, and (c) the client TRUSTS the modified cert chain (typically its root cert)).
This is just HTTPS Proxy. In which case other answers about terminating the HTTP connection first are correct. -----Original Message----- From: owner-openssl-us...@openssl.org on behalf of David Schwartz Sent: Tue 7/27/2010 4:19 AM To: openssl-users@openssl.org Subject: RE: Man in the middle proxy - Not working Alexey Drozdov wrote: > Hi! > > When your setup proxy setting for browsers, they using HTTP CONNECT > method for establish pure tcp-connection via proxy (not for local > resources). > It's seems like: > > Client send HTTP-request to proxy > CONNECT remotehost:port HTTP/1.1 > Host: remotehost:port > > And begin wait HTTP-response like: > HTTP/1.1 200 Connection established > > Then browser send initiate ssl handshake over this pure tcp-channel. > > Your proxy get HTTP-request instead ssl-handshake and fail: > 2572:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy > request:.ssls23_srvr.c:391 > > --- > / Alexey Drozdov In other words, you switched to SSL too early. The way you did it, how would you know what host and port you were supposed to proxy a connection to?! You have to wait and get the CONNECT request from the client to know what host and port they want a connection to. Then send an HTTP 200 reply, and then begin proxying. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
