On 2024-12-02 05:22, Thomas K wrote:
Not sure how the Squid GET https:// can help me, as I
want to talk bidirectionally betwen client and server after the
handshake and keep that connection alive. GET https:// sounds a lot like
the connection will be closed after one request. Perhaps my question was
not clear in this regard in the first place or I currently cannot yet
make sense of the solution.
I assumed that your origin server application speaks HTTP(S). If it does
not, then sending Squid "GET https://"; requests is _not_ going to work.
Instead, if you want to encrypt client-Squid communication _and_
client-origin communication, then the client has to send an encrypted
HTTP CONNECT request to Squid's https_port. Upon receiving that CONNECT,
Squid will establish a blind TCP tunnel to origin server. Your client
will have to implement TLS-inside-TLS to use that tunnel to talk to
origin server securely, just as you expected.
I will leave you in Viktor's expert hands with regard to BIO handling,
but if you want more real-world examples in well-known software, I know
that curl implements TLS-inside-TLS.
Good luck,
Alex.
I am still in the process of understanding how the
network_biopair_interop() works exactly, but I think I got the general
idea and how to transfer it.
Is there any literature you can recommend that explains the difference
between BIO_push, BIO_make_bio_pair and manually reading and writing to
mem BIOs?
Also, I am not entirely sure I understood when to use which BIO. If I
create two BIO_new_SSL and chain/make_pair them together, the data
should be "double encrypted" when I SSL_read from the chain, right? Or
do I need a memory BIO in-between for some reason?
Sorry, looks like I am overall a bit confused...
Thomas
Viktor Dukhovni schrieb am Samstag, 30. November 2024 um 05:08:20 UTC+1:
On Thu, Nov 28, 2024 at 11:11:46PM -0800, Thomas K wrote:
> Any suggestions and advice on how to do this properly is very
welcome (also
> something like "Configure your proxy to open the second TLS
connection" or
> similar, if you think that's the most reasonable way).
You can use the biopair API to extract ciphertext from the inner SSL,
and write it into the outer SSL, and conversely read from the outer
SSL and inject ciphertext into the inner SSL.
Though Postfix no longer uses this approach to move data between SSL
and "vstream" sockets, you can still find it in the source of
older releases:
https://github.com/vdukhovni/postfix/blob/postfix-2.3/postfix/src/tls/tls_bio_ops.c <https://github.com/vdukhovni/postfix/blob/postfix-2.3/postfix/src/tls/tls_bio_ops.c>
See the embedded nroff docs and network_biopair_interop().
--
Viktor.
--
You received this message because you are subscribed to the Google
Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to openssl-users+unsubscribe@xxxxxxxxxxx
<mailto:openssl-users+unsubscribe@xxxxxxxxxxx>.
To view this discussion visit
https://groups.google.com/a/openssl.org/d/msgid/openssl-users/2c92a03c-ef04-4a74-a397-80619a08f5e3n%40openssl.org <https://groups.google.com/a/openssl.org/d/msgid/openssl-users/2c92a03c-ef04-4a74-a397-80619a08f5e3n%40openssl.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/f5bcac98-8a28-49c7-9005-12f249a91447%40measurement-factory.com.
