EldoS | Feel safer!

Software components for data protection, secure storage and transfer

I need to de/encrypt ssl data for my proxy

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#18566
Posted: 12/23/2011 15:31:07
by Kenan Hakan (Basic support level)
Joined: 12/23/2011
Posts: 5

Hi,

I wrote a redirector which redirects all 80/443 port to my proxy in Delphi. I am handling all socket data/connection. What i need is to filter SSL traffic. I need some advice before ordering.

My questions are:

1. Client sends data to port 443. Server receives this data but it is encrypted. How can i decrypt this SSL data to see what hostname and url client is trying to connect? I can already the existing data to server without modifying it. But when I receive data from server, how can i again decrypt it (to check for title)?

2. When we use this VCL to encrypt/decrypt, is browser going to prompt untrusted certificate dialog box?

3. Again, using our own sockets which is coded using Winapi, how can i create a client request, send to server and decode incoming data from server?

And last question:
4. If everything works fine, which package do i need to purchase to complete steps above?

Please kindly advice.

Bests,
#18569
Posted: 12/24/2011 01:15:36
by Eugene Mayevski (EldoS Corp.)

What you are trying to do is a Man-in-the-middle-proxy for HTTPS. It is not possible without either revealing server's certificate or substituting your own certificate. In the latter case browsers will surely complain about incorrect certificate. Please read these questions on StackOverflow for detailed information about your task.

If this is ok for you, then we can talk about other questions.


Sincerely yours
Eugene Mayevski
#18572
Posted: 12/24/2011 04:41:37
by Kenan Hakan (Basic support level)
Joined: 12/23/2011
Posts: 5

Hi,

Thanks for your reply.

Can you tell me what is possible? How can we buy our own certificate and deploy with the software? And can you please kindly answer other questions, so i can try and see it myself?

Bests,
#18574
Posted: 12/24/2011 07:39:38
by Eugene Mayevski (EldoS Corp.)

Buying a certificate won't save you from browsers complaining about the invalid certificate. The reason is that the certificate must match the address of the contacted site, and you can't buy certificates for all sites that the site connects to.

Other questions are not exactly clear to me. Are you going to *intercept* traffic or you are going to build a proxy? Proxies usually don't reside on port 443, and the client usually knows that it connects to the proxy. So your questions are to some extent vague.


Sincerely yours
Eugene Mayevski
#18575
Posted: 12/24/2011 08:14:28
by Kenan Hakan (Basic support level)
Joined: 12/23/2011
Posts: 5

Hi,

Well I am just trying to check the host. That's why I just need to decrypt headers before they are sent to the server. So There is no CONNECT header because they are just connecting to the server BUT I wrote an LSP and actually, browser connects to OUR own webserver. And our own webserver handles everything. I can even handle 443 but I need to decrypt it. So is it possible to do that?

Browser is going to send:

GET /blah
HOST: ssl.test.com
etc.

I need to see this decoded as plain text. What is the way to do this?

Bests
#18576
Posted: 12/24/2011 09:24:08
by Eugene Mayevski (EldoS Corp.)

Ok, if you have an LSP, then you are actually intercepting traffic. Next step is
a) present your own server to the client and
b) connect to the server for the actual data.

You need to use TElSecureServer component to handle client's requests, and use TElSecureClient (or TElSimpleSSLClient) to connect to actual host.

See our sample projects in <SecureBlackbox>\Samples\Delphi\SSLBlackbox folder for information about how to use these components in your project.

As for licensing - you would need SSLBlackbox client+server package.


Sincerely yours
Eugene Mayevski
#18577
Posted: 12/24/2011 17:36:16
by Kenan Hakan (Basic support level)
Joined: 12/23/2011
Posts: 5

Hi,

I can not change sockets. All I need is to decode and encode the data. Because we are using our own sockets and we don't want to change it. Proxy is ready and it is working without any problems.

So my question is, which component can i use for decryption and encryptions? I can not use other sockets for connections.
#18578
Posted: 12/25/2011 01:28:51
by Eugene Mayevski (EldoS Corp.)

You can not decrypt and re-encrypt data unless your code has its own certificate and acts as a server for the client and the client for the server. Point.

This is discussed in details in questions on StackOverflow, to which I linked above.


Sincerely yours
Eugene Mayevski
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 989 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!