0

I'm looking for an SSL decryption proxy that is transparent at layers 3 and 4. E.g. the client will be sending an HTTPS request to the server, but the proxy will decrypt it and forward the decrypted traffic using the client's IP and port as the source and the server's IP and port as the destination. The SSL certificate and private key will be available on the proxy, i.e. the proxy will not be auto-generating SSL certificates with a trusted CA to spoof the connection. All of the SSL proxies that I have explored so far also re-encrypt the traffic between the proxy and the server, but I only need it to decrypt traffic toward the server and encrypt the return traffic toward the client (with layer 3/4 transparency).

Ultimately there will be another SSL proxy before it reaches the server that will encrypt the traffic, so the server will be receiving HTTPS traffic. But it will be a separate proxy.

Are there any open-source applications that work this way, or that can be made to work this way?

Rusty Lemur
  • 843
  • 1
  • 7
  • 14
  • What you’re asking isn’t technically possible. SSL’s goal is to authenticate the server to the client. If the domain name the browser uses to connect is not under your control and/or the client is not under your direct control then you simply cannot interrupt that stream without causing security warnings in the browser/or causing the browser to refuse to load the page if it is using HSTS. You have to place a trusted root certificate on the client device from the proxy and HSTS would need to be turned off in the browser. – Appleoddity Mar 25 '22 at 16:18
  • In this case I'm under control of the server and its certificate and key. It's unconventional, but in this case I would be hosting my server's certificate and key on my proxy. To the client, it should be unaware that it is connecting directly to my server or to my proxy with the same server certificate. – Rusty Lemur Mar 25 '22 at 17:03
  • ok. That makes sense and should work. – Appleoddity Mar 25 '22 at 17:12
  • I'm pretty sure most application layer gateways would be able to do this, but keep in mind, you are proxying the HTTP/HTTPS, rather than the TCP traffic, so its all about layer 7, not 3/4, neither of which is actually encrypted by TLS/SSL. The encryption is on the layer7 datagram. https://en.wikipedia.org/wiki/HTTPS#Network_layers consider for instance a server running multiple sites with different certs. which cert does it use? SNI makes that possible, by not encrypting the host-header in the http request, letting the server determine what certificate it needs to use. – Frank Thomas Mar 25 '22 at 19:27

0 Answers0