Rene Hollan: > Oh! I totally misunderstood this. > I thought OP wanted to MITM SSL sessions (which is possible, if > (a) the traffic is decrypted, (b) certs are reissued and resigned, > and (c) the client TRUSTS the modified cert chain (typically its > root cert)).
> This is just HTTPS Proxy. In which case other answers about > terminating the HTTP connection first are correct. No, you were correct. He does want to MITM SSL sessions. A MITM and a normal proxy operate precisely the same way up until the actual proxying part starts. His problem is earlier, when he establishes the connection to the client, determines what host and port the client wants to talk to, and then switches to his SSL proxy/MITM capability. All those steps are the same. 1) Accept plaintext connection. 2) Wait for client to send request. 3) Confirm CONNECT request, host and port valid. 4) Send 200 reply. 5) Make connection to host and port requested by client. 6) If normal proxying, begin proxying (copy ciphertext between client and server). If MITMing, begin MITMing (do SSL negotiation with both client and plaintext, copy plaintext between client and server). DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
