6

I came across an open source SOCKS client library that supports connecting to a SOCKS proxy using a trustmanager key to verify the remote server.

However, I have been unable to find SOCKS proxy servers that support this. Are these available at all commercial or not?

The library in question is sockslib (Java), which sports this specific client example.

A related question: with this specific library, it is possible to define both a keymanager key (in addition to the trustmanager key) as well as normal credentials. Does this make sense for SOCKS servers?

Benny Bottema
  • 11,111
  • 10
  • 71
  • 96
  • 2
    It is possible for a client to connect to a proxy itself using SSL, if it knows it is connecting to a proxy that expects SSL. But after the connection to the remote server is created, the client is supposed to create any server-side SSL session with the server directly, the proxy is just a pass-through. I don't see how it makes sense for the proxy to verify the server when the server doesn't know what kind of client has connected to it, the server cannot perform a double-handshake. Unless the proxy is sniffing any SSL handshake that the client and server may exchange with each other... – Remy Lebeau Jun 07 '16 at 20:56
  • 1
    ... but that is not the proxy's responsibility, the client is expected to verify the identity of the server, and vice versa, as needed. – Remy Lebeau Jun 07 '16 at 21:01
  • There is no thing as a TrustManager key. – user207421 Jun 07 '16 at 22:43
  • @EJP I checked and TrustManagers are a Java mechanism for managing X.509 public key certificates, to confirm a server's identity. – Benny Bottema Jun 08 '16 at 04:45
  • "...using a trustmanager key to verify the remote server." - from a short look at the source code of the library: it is only verifying the connection to the proxy, not to the remote server. Which makes sense because a socks proxy just creates a layer 4 tunnel and is not even aware of the protocol spoken inside the tunnel. This mean that it also does not know if TLS is used or not. – Steffen Ullrich Jun 08 '16 at 05:12
  • @SteffenUllrich Exactly, but I can't find a proxy server that supports this. – Benny Bottema Jun 08 '16 at 10:45

1 Answers1

3

WinGate SOCKS server supports accepting a connection (TCP) and immediately performing a TLS handshake on it prior to SOCKS protocol.

It also supports authenticating to the SOCKS server using client certificates. Or you can just do plaintext (or even GSS-API) auth after that.

Note that this is NOT the method proposed in draft-aft-socks-ssl-00 in 1997 which proposed layering TLS over the top of SOCKS framing (IMO an unnecessarily complicated way of doing it, which only provides a single benefit - being able to negotiate SSL or not - with a lot of down-sides).

Adrien
  • 1,061
  • 8
  • 11