yes it's correct am also using squid i didn't face any problm read about squid.conf and generating certificate properly its will start work as usual. connect is HTTP Method i Need to More about Connect please go through Mozila or RFC document. /udhayakumar
On 11/30/24 8:02 AM, Alex Rousskov
wrote:
On 2024-11-29 02:11, Thomas K wrote:--
I am currently struggling with getting my client application to communicate using TLS to my server application via an HTTP CONNECT proxy server (squid). The proxy requires an authentication token, which is why I'd like to establish a HTTPS connection to the proxy (the outer TLS connection). Is there a recommended way of doing this?
Establishing the proxy tunnel works perfectly fine. I can handshake, send the HTTP CONNECT and get a 200 - OK response. The server also registers an incoming connection.
Next, I want to perform a TLS handshake with the server (the inner TLS). If I understand things correctly, that handshake has to be wrapped in the proxy connection. So anything written to the target server after the handshake needs to be encrypted twice, once for the proxy and once for the target server. I have experimented with different ways of doing so:
1) pushing a BIO_new_ssl on the current BIO chain (proxy_bio_connect -> proxy_bio_ssl -> server_bio_ssl). This seems to work in principle. However, the handshake does take several seconds and the resulting connection seems quite unstable. I am stuck in a WANT_READ during SSL_Connect, thus polling the socket and that doesn't return for several seconds.
My suspicion is that there is some hickup between the outer and the inner ssl layer. Perhaps the outer ssl is consuming packets that the inner one is waiting for or sending some packets that the inner one doesn't expect. Sometimes I observed an "unexpected message alert". I also observed some data being stuck in one of the BIOs when not flushing them.
2) Creating a membio + SSL object and reading/writing to it manually to forward data from/ to the proxy BIO. This seems quite complex as forgetting to read/write from one of the BIOs easily results in the application blocking forever. I think I managed to get a connection working this way as well, however I'd like to use non-blocking sockets and am quite scared of including any more polling/waiting/read/write stuff into that code. Pretty sure the complexity will make it fail at some point given my skill level :-D
Any suggestions and advice on how to do this properly is very welcome (also something like "Configure your proxy to open the second TLS connection" or similar, if you think that's the most reasonable way).
FWIW, Squid supports so called "GET https://..." requests. No special configuration is required to enable that support, but it is a rarely used feature so proceed with caution. *If* you trust the proxy, you can establish a TLS connection to Squid's https_port and send a GET request to Squid targeting HTTPS origin server (instead of sending CONNECT). Squid should establish a TLS connection to the origin server and forward the response to you.
All traffic on the wire will be encrypted, but there is no TLS-inside-TLS in this use case: Unlike CONNECT case, Squid will see the origin server response and, if appropriate, cache and share it with other requests.
HTH,
Alex.
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/242683f6-0d6f-332d-4ace-93430c773c87%40fatpipeinc.com.
