HTTPS question

Hello all,

Hope this isn't a total newbie question...

I'm writing an extension to an existing client / server suite that
currently uses UDP for all of its communication.

We are having some problems with clients that are behind firewalls
that only allow HTTP and HTTPS, so I've created a system where the
necessary communications all take place in the form of GET and PUT
HTTP calls. This makes the proxy think that the client is simply
browsing the web when they are not. Yeah, lame, but it works for
HTTP. I need to implement a version that uses HTTPS as well. I've
got all my certificates ready and it works between the client and the
server if there is no proxy, but the question I'm having trouble
answering is how do you implement HTTPS from the TCP / SSL level?

Do you send an unencrypted HTTP header and then pop over to SSL
immediately afterwards? When do you do the SSL handshaking? Before
or after you send the header?

Thanks in advance!

-- Rich Fife --

Rich Fife <rfife@amug.org> writes:

[...]

> Do you send an unencrypted HTTP header and then pop over to SSL
> immediately afterwards? When do you do the SSL handshaking? Before
> or after you send the header?

Start straight off with SSL/TLS. (I believe there's a proposal for an
HTTP startTLS, but I don't think it's caught on.)

On Feb 14, 11:55 am, Bruce Stephens <bruce
+use...@cenderis.demon.co.uk> wrote:
> Rich Fife <rf...@amug.org> writes:
>
> [...]
>
> > Do you send an unencrypted HTTP header and then pop over to SSL
> > immediately afterwards? When do you do the SSL handshaking? Before
> > or after you send the header?
>
> Start straight off with SSL/TLS. (I believe there's a proposal for an
> HTTP startTLS, but I don't think it's caught on.)

So I do an SSL handshake directly with the proxy and then it
handshakes with the server? If I don't, how does the proxy know what
server I want (it's only in the (encrypted) HTTP header)?

Thanks for your reply!

-- Rich --

Rich Fife wrote:

> On Feb 14, 11:55 am, Bruce Stephens <bruce
> +use...@cenderis.demon.co.uk> wrote:
>> Rich Fife <rf...@amug.org> writes:
>>
>> [...]
>>
>>> Do you send an unencrypted HTTP header and then pop over to SSL
>>> immediately afterwards? When do you do the SSL handshaking? Before
>>> or after you send the header?
>> Start straight off with SSL/TLS. (I believe there's a proposal for an
>> HTTP startTLS, but I don't think it's caught on.)
>
> So I do an SSL handshake directly with the proxy and then it
> handshakes with the server? If I don't, how does the proxy know what
> server I want (it's only in the (encrypted) HTTP header)?


First you create a connection to the proxy which may or may not be secured
with SSL. Then you send a CONNECT request to the proxy, telling him the host
you want to talk to. He then sets up the connection and proxies all traffic,
and if it's secured with SSL then he doesn't know the content.

On Feb 14, 2:40 pm, "Sebastian G." <se...@seppig.de> wrote:
> Rich Fife wrote:
> > On Feb 14, 11:55 am, Bruce Stephens <bruce
> > +use...@cenderis.demon.co.uk> wrote:
> >> Rich Fife <rf...@amug.org> writes:
>
> >> [...]
>
> >>> Do you send an unencrypted HTTP header and then pop over to SSL
> >>> immediately afterwards? When do you do the SSL handshaking? Before
> >>> or after you send the header?
> >> Start straight off with SSL/TLS. (I believe there's a proposal for an
> >> HTTP startTLS, but I don't think it's caught on.)
>
> > So I do an SSL handshake directly with the proxy and then it
> > handshakes with the server? If I don't, how does the proxy know what
> > server I want (it's only in the (encrypted) HTTP header)?
>
> First you create a connection to the proxy which may or may not be secured
> with SSL. Then you send a CONNECT request to the proxy, telling him the host
> you want to talk to. He then sets up the connection and proxies all traffic,
> and if it's secured with SSL then he doesn't know the content.

Ah. I get it. I was going straight for GET and PUT without using
CONNECT. That's the magic word I was looking for.

Thanks!

-- Rich --

Rich Fife wrote:


> Ah. I get it. I was going straight for GET and PUT without using
> CONNECT. That's the magic word I was looking for.


PUT isn't even part of HTTP, but rather of its extension WebDAV.

Rich Fife <rfife@amug.org> writes:

> So I do an SSL handshake directly with the proxy and then it
> handshakes with the server? If I don't, how does the proxy know what
> server I want (it's only in the (encrypted) HTTP header)?

Ah. I was forgetting you had a proxy. I've no idea how HTTP SSL
proxies work in reality. You've got a working proxy, so you could try
a web browser suitably configured and ethereal, and see what it's
doing? Or check if the proxy supports RFC 2817, and implement that
(apparently web clients don't)?

Sorry, my fault. I had read "proxy" but somehow forgot it.

"Sebastian G." <seppi@seppig.de> writes:

> PUT isn't even part of HTTP, but rather of its extension WebDAV.

It's less commonly used than GET, but it's surely part of HTTP.

Bruce Stephens wrote:

> "Sebastian G." <seppi@seppig.de> writes:
>
>> PUT isn't even part of HTTP, but rather of its extension WebDAV.
>
> It's less commonly used than GET, but it's surely part of HTTP.


At least for HTTP 1.0 this is wrong. Quoting RFC1945:

| These appendices are provided for informational reasons only -- they
| do not form a part of the HTTP/1.0 specification.
| [...]
| D.1.1 PUT

That is, one should expect an error 400 and not just 501.

On Feb 14, 3:49 pm, "Sebastian G." <se...@seppig.de> wrote:
> Bruce Stephens wrote:
> > "Sebastian G." <se...@seppig.de> writes:
>
> >> PUT isn't even part of HTTP, but rather of its extension WebDAV.
>
> > It's less commonly used than GET, but it's surely part of HTTP.
>
> At least for HTTP 1.0 this is wrong. Quoting RFC1945:
>
> | These appendices are provided for informational reasons only -- they
> | do not form a part of the HTTP/1.0 specification.
> | [...]
> | D.1.1 PUT
>
> That is, one should expect an error 400 and not just 501.

I'm using 1.1, so I should be fine. Thanks for the info guys! I
should have made more of a point that a proxy was involved. My
original post was kind of disorganized.

-- Rich --

On 2008-02-14, Rich Fife <rfife@amug.org> wrote:
> Hello all,
>
> Hope this isn't a total newbie question...
>
> I'm writing an extension to an existing client / server suite that
> currently uses UDP for all of its communication.
>
> We are having some problems with clients that are behind firewalls
> that only allow HTTP and HTTPS,

In other words, you're trying to subvert some clients' firewall policies
that their boxen only access HTTP and HTTPS. That's not very nice.


--
Christopher Mattern

NOTICE
Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities

Rich Fife <rfife@amug.org> writes:

> Hello all,
>
> Hope this isn't a total newbie question...
>
> I'm writing an extension to an existing client / server suite that
> currently uses UDP for all of its communication.
>
> We are having some problems with clients that are behind firewalls
> that only allow HTTP and HTTPS, so I've created a system where the
> necessary communications all take place in the form of GET and PUT
> HTTP calls. This makes the proxy think that the client is simply
> browsing the web when they are not. Yeah, lame, but it works for
> HTTP. I need to implement a version that uses HTTPS as well. I've
> got all my certificates ready and it works between the client and the
> server if there is no proxy, but the question I'm having trouble
> answering is how do you implement HTTPS from the TCP / SSL level?
>
> Do you send an unencrypted HTTP header and then pop over to SSL
> immediately afterwards? When do you do the SSL handshaking? Before
> or after you send the header?
>
> Thanks in advance!

stunnel is a command line thingee built with such issues in mind.

http://www.stunnel.org/examples/


--
Todd H.
http://www.toddh.net/