2

We are currently using Apache to handle incoming SSL requests. These are two-way SSL connections. Apache accepts the https connection and pass the request on as http connection to the application server. This works well for us.

We would like to use the same kind of centralized mechanism for outgoing two-way SSL connections. Is there a way do this with Apache or another product? To complicate things the client certificate needed to identify out client can vary depending on the destination.

In short: - Internal clients connect through http to Apache or another product. - Apache or another product knows based on a rule (?) that a two-way ssl connection is required and sets this up with the destination. - Depending on the destination the correct certificate is sent to identify our client.

Regards,

Nidkil

nidkil
  • 21
  • 2

1 Answers1

0

What you're talking about is, or course, an HTTP proxy server. In the first scenario you are using it as a transparent proxy to provide SSL support for connections to a set of web pages. In the second scenario you want to use it to provide connections to secure-only pages on behalf of clients speaking HTTP.

You can do this with the Squid proxy, which is free and open-source, provided that your machine sits between the clients and the Internet. Look for "SSLBump". You do need a certificate which the clients would consider valid for all web pages to be accessed (otherwise they will notice what you are doing, which is basically a man-in-the-middle attack).

However, I would strongly recommend against this - if a site requires SSL, it is likely to do so for a reason. It is almost certainly not OK to have internal clients connecting to an online banking site and have you bumping down their encryption so that you can monitor their traffic or whatever...

Borealid
  • 95,191
  • 9
  • 106
  • 122
  • Thx for the quick response. We want to use the centralized outgoing two-ssl mechanism for webservices. The idea is to avoid having each client to understand two-way ssl protocol and having certificates spread throught the organization. Basicly we are working with trusted zones, so the other both parties agree that their internal network is trusted zone, connections between the two networks/zones are untrusted and must be protected by a two-way ssl connection. – nidkil Feb 16 '11 at 14:06
  • @nikdil: You keep saying "two-way SSL". You do know that SSL has support for the client providing its own certificate, right? – Borealid Feb 16 '11 at 14:35
  • H. Yes, we currently have a number of clients that implement this functionality themselves. We do not want clients to individually set up the two-way ssl connection, as this means we need to distribute certificates thoughout the organisation. We want to handle this centrally. That is hy I am trying to findout how to do this from a single point. You pointedme towards Squid and SSLBump. I checked it out and cannot see if it is able to make a two-way ssl connection. Do you know if this is possible? – nidkil Feb 16 '11 at 15:26
  • @nidkil: Yes. it can. Squid can provide a client SSL certificate. – Borealid Feb 17 '11 at 13:59