发表新帖
发表新帖

HTTPS Proxy Implementation (SSLStream)

后端 未结
关注
2 1600
一向
一向 2021-01-14 17:46

I\'ve written a console application that acts as a proxy server. Now I like to implement SSL as well. Do not like to decrypt any traffic. Just like a normal https proxy. I\'

相关标签:
2条回答
  • 无人及你
    2021-01-14 18:10

    Adding to the answer from EJP, the proxy simply opens a tunnel between the end server and the client after a successful CONNECT request. The client however, needs to upgrade the socket to HTTPS and continue sending data through the same socket which was used in the CONNECT request. The proxy on the other hand just needs to maintain this tunnel between the end server and client acting as a simple simple transparent proxy just copying encrypted data from one socket to another.

    Check this doc for more details about the tunnel

    0 讨论(0)
  • 清歌不尽
    2021-01-14 18:26

    IE issues a CONNECT request to my proxy My proxy sees that its a CONNECT request and gets the ip:port of the destination (eg, www.hotmail.com:443) My proxy creates a new TCP connection to www.hotmail.com:443

    All correct so far.

    My proxy gets an SslStream from this destination and calls AuthenticateAsClient - this gives my proxy a secure connection to the hotmail side of things

    No. Your proxy should use the plain-text connection you already have.

    My proxy then sends an "HTTP/1.0 200" message back to the browser to say that the CONNECT was successful.

    Correct. Or else if you got a connection failure you send back an appropriate HTTP failure response.

    My proxy then gets an SslStream from the browser connection and calls AuthenticateAsServer - gives my proxy a secure connection to the browser side of things

    No. Your proxy continues to use the plaintext connection to the browser.

    how AuthenticateAsServer without fake certificate?

    You don't have to do it at all.

    At this point the browser and the upstream server are ready to execute the SSL handshake. But as you said you don't want to sniff the contents, you have no need to be an SSL endpoint yourself. All you have to do now is copy bytes in both directions simultaneously. The endpoints will SSL-handshake just as though you weren't there.

    0 讨论(0)
 看不清?
提交回复
热议问题