Artica Proxy and SSL

This entry was posted in SSL Protocol on by

If you using the “3.5.x” Proxy engine version your can deal easily with the SSL protocol.

1) Understand that the SSL protocol cannot be break.

When a browser request to be connected to the Web site using SSL, it start to create a “CONNECT” session.
Inside this session, browser require to download and verifiy the certificate.
So it is not possible to transform an SSL session to an HTTP ( no ssl) connection.

2) Proxy deal with SSL with 2 methods.

A) The CONNECT method:

The connect method for the proxy is just helping the browser to establish a TCP connection to the remote Web server.
Inside this session, protocol is encrypted and proxy is not able to see these items:

  • Proxy is not able to see content of Web page and content of downloaded files.
  • Proxy is not able to see requested URLs.
  • Proxy is not able to modify original requests such as Google SafeSearch feature

B) The MAN-IN-THE-MIDDLE method

ssl

The MAN-IN-THE-MIDDLE method force the proxy to use it’s certificate in order to establish SSL connection with browsers.
During this specific SSL session with the browser, the proxy service is able to communicate with target HTTPS servers instead of browsers.
Established session between the proxy and HTTPS servers allow the proxy to see web content and URLs.
Proxy re-encrypt web content to the browser with it’s own certificate.

In this way proxy is able to see all things in SSL protocol but there is a strong limitation:

Certificate is sent by the proxy not the Web server:

You need to install the proxy certificate in all browsers in order to avoid complain certificates.

25-04-2015 00-26-36

ca_issuer_error_ff

You can only decrypt some specific websites.

Artica 2.01.042510 or above provides rules in order to define what web servers must pass trough the MAN-IN-THE-MIDDLE way or what servers must pass trough the proxy without decoding SSL protocol.

An ACL object called “SSL SNI domains” allows you to decide if a set of domains must pass trough the MAN-IN-THE-MIDDLE or not.

You want to implement SSL support on your Artica proxy:

  1. Create an SSL certificate for the proxy | Decrypt SSL the proper way ( self-signed certificate )
  2. Deploy the Proxy certificate to browsers. | Install Certificate in Internet Explorer
  3. Enable SSL in your listen ports
  4. Use SSL SNI object to define which websites to decrypt.

 

 

Leave a comment