1

Here is what I'm trying to achieve: I have a TCP client that need to connect to our server application but I need the traffic to be done over HTTPS. As far I know, it can be done with a reverse (or forward?) proxy as followed :

TCP client <--- HTTPS ---> myproxy.com:443 <------> tcp server app that listen port 7999

I succefully created a proxy without SSL with the following vhost config :

<VirtualHost *:80>
    ServerName myproxy.com
    SetEnv proxy-nokeepalive 1
    ProxyErrorOverride off
    ProxyRequests On
    ProxyBadHeader Ignore
    ProxyVia Full
    AllowCONNECT 80 443 7999
</VirtualHost>

(am not sure if any of these params are unecessary tbh)

With that vhost I can initiate my tcp connection to my server like this :

telnet myproxy.com 80

> Connected to myproxy.com.

CONNECT myproxy.com:7999 HTTP/1.1
Host: myproxy.com:7999

> HTTP/1.0 200 Connection Established
> Proxy-agent: Apache/2.4.18 (Ubuntu)

As soon as I add SSL and use the port 443, I can't connect anymore :

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName myproxy.com
    SetEnv proxy-nokeepalive 1
    ProxyErrorOverride off
    ProxyRequests On
    ProxyBadHeader Ignore
    ProxyVia Full
    AllowCONNECT 80 443 7999

    SSLProxyEngine On
    SSLEngine On
    SSLCertificateFile...
</VirtualHost>
</IfModule>

If I try to connect to this vhost, I get the following :

telnet myproxy.com 443

> Connected to myproxy.com.

CONNECT myproxy.com:7999 HTTP/1.1
Host: myproxy.com:7999

> Connection closed by foreign host.

What am I doing wrong, is this only possible by using the port 443 ? While typing this I tried the port 80 with SSL on (same as my last vhost but with <VirtualHost *:80>, and it seems to work. Is my connection to my TCP server secured this way ? How could I be sure about that ?

Thank you.

CPP_Meister
  • 11
  • 1
  • 2

1 Answers1

2

What you did first was to create a HTTP proxy and issued a plain CONNECT request to it. This worked as expected.

What you did then was to enable SSL for connections to this proxy but issued a plain CONNECT again. This failed as expected since you explicitly configured that the connection to the proxy should be SSL and not plain. This means that the proxy expected the connection to start with the TLS handshake (i.e. ClientHello send by client) and not some plain text HTTP request.

If you want to connect to the proxy with HTTPS then you cannot use simple telnet since telnet only speaks plain TCP. You need to use a TLS capable client instead, for example openssl s_client. Then you get something like

$ openssl s_client -connect myproxy:443
CONNECTED
...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ...
---
CONNECT myproxy:7999 HTTP/1.0

HTTP/1.0 200 Connection established
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172