On 2024-11-29 02:11, Thomas K wrote:
I am currently struggling with getting my client application to
communicate using TLS to my server application via an HTTP CONNECT proxy
server (squid). The proxy requires an authentication token, which is why
I'd like to establish a HTTPS connection to the proxy (the outer TLS
connection). Is there a recommended way of doing this?
Establishing the proxy tunnel works perfectly fine. I can handshake,
send the HTTP CONNECT and get a 200 - OK response. The server also
registers an incoming connection.
Next, I want to perform a TLS handshake with the server (the inner TLS).
If I understand things correctly, that handshake has to be wrapped in
the proxy connection. So anything written to the target server after the
handshake needs to be encrypted twice, once for the proxy and once for
the target server. I have experimented with different ways of doing so:
1) pushing a BIO_new_ssl on the current BIO chain (proxy_bio_connect ->
proxy_bio_ssl -> server_bio_ssl). This seems to work in principle.
However, the handshake does take several seconds and the resulting
connection seems quite unstable. I am stuck in a WANT_READ during
SSL_Connect, thus polling the socket and that doesn't return for several
seconds.
My suspicion is that there is some hickup between the outer and the
inner ssl layer. Perhaps the outer ssl is consuming packets that the
inner one is waiting for or sending some packets that the inner one
doesn't expect. Sometimes I observed an "unexpected message alert". I
also observed some data being stuck in one of the BIOs when not flushing
them.
2) Creating a membio + SSL object and reading/writing to it manually to
forward data from/ to the proxy BIO. This seems quite complex as
forgetting to read/write from one of the BIOs easily results in the
application blocking forever. I think I managed to get a connection
working this way as well, however I'd like to use non-blocking sockets
and am quite scared of including any more polling/waiting/read/write
stuff into that code. Pretty sure the complexity will make it fail at
some point given my skill level :-D
Any suggestions and advice on how to do this properly is very welcome
(also something like "Configure your proxy to open the second TLS
connection" or similar, if you think that's the most reasonable way).
FWIW, Squid supports so called "GET https://..."; requests. No special
configuration is required to enable that support, but it is a rarely
used feature so proceed with caution. *If* you trust the proxy, you can
establish a TLS connection to Squid's https_port and send a GET request
to Squid targeting HTTPS origin server (instead of sending CONNECT).
Squid should establish a TLS connection to the origin server and forward
the response to you.
All traffic on the wire will be encrypted, but there is no
TLS-inside-TLS in this use case: Unlike CONNECT case, Squid will see the
origin server response and, if appropriate, cache and share it with
other requests.
HTH,
Alex.
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/dfdfc8bc-f3c8-4f89-9956-e376f0c60987%40measurement-factory.com.
