Hi,
I am using stunnel 4.56 Windows verison.
I thought the username and password will *only* be sent to SERVER2, *after* the SSL handshake, with each request.
However, the truth is that the Proxy-Authorization header is attached to the request to SERVER1 "CONNECT SERVER2:433 HTTP/1.1", as well.
So SERVER1 can see username and password. It is not necessary and safe.
Am I missing anything here?
Regards, Peter
[stunnel] client = yes accept = 127.0.0.1:8080 connect = SERVER1:3128 protocol = connect protocolHost = SERVER2:443 protocolUsername = username protocolPassword = password
On 2013-10-24 07:22, Peter K. O'Connor wrote:
I thought the username and password will *only* be sent to SERVER2, *after* the SSL handshake, with each request.
It the password for authentication on your proxy was sent *after* the handshake, then SSL would have to be terminated on the proxy rather than on your final server. Your proxy could then eavesdrop all your data, and the transfer between your proxy and your final server would be unencrypted. Is that really what you'd expect?
The usual scenario is that the connection from your client to your proxy is generally performed over a trusted network, while the connection between your proxy and the final server is performed over a hostile network (usually the Internet).
Am I missing anything here?
Not really. This is precisely how the CONNECT protocol is designed.
Mike
-
Michal Trojnara -
Peter K. O'Connor