Cryptography Reference
In-Depth Information
otherwise the client can't update its trust list. HTTP proxies are supposed to be
pretty simple; — they have to handle huge volumes of requests, so you want to
avoid adding any more complexity than necessary. Building the protocol exten-
sions to enable the proxy to channel certifi cate warnings back to the client and
respond to them is fairly complex.
Instead, the standard solution suggested by RFC 2817 is that HTTP proxies
don't proxy secure documents at all — they proxy connections, instead. The
proxy must accept the HTTP
CONNECT
command, which tells it not to establish
an HTTP socket with a target host, but instead to establish an arbitrary socket
connection. In effect, when the proxy receives a
CONNECT
command, rather than,
for instance, a
GET
or a
POST
, it should complete the TCP three-way handshake
with the target host on the target port, but from that point on it should
tunnel
all subsequent data unchanged.
This enables the client to complete the TLS handshake and respond appro-
priately to any certifi cate warnings, and so on, that may occur — the code itself
doesn't change at all. The only trick is making sure to establish the tunneled
connection before beginning the TLS handshake.
Adding Proxy Support Using Tunneling
You can add proxy support to the HTTPS client from Chapter 6; After you under-
stand how tunneling works, it's not terribly complicated. Instead of affi xing a
proxy authorization to each HTTP command, you instead issue a single HTTP
CONNECT
command before doing anything TLS-specifi c; the authorization string
is attached to that command and forgotten afterward. If the
CONNECT
command
succeeds, you just use the socket as if it was a direct connection to the target
host, which, at this point, it is.
Recognizing the proxy parameters and parsing them doesn't change from
HTTP to HTTPS. The only difference in the main routine is that you issue
an HTTP
CONNECT
command after establishing the HTTP connection to the
proxy and before sending a TLS handshake as shown in Listing 10-1.
Listing 10-1:
“https.c” main routine with proxy support
if ( proxy_host )
{
if ( !http_connect( client_connection, host, port, proxy_user,
proxy_password ) )
{
perror( “Unable to establish proxy tunnel” );
if ( close( client_connection ) == -1 )
{
perror( “Error closing client connection” );
return 2;
(Continued)
Search WWH ::
Custom Search