afm
2004-03-25 14:26:02 UTC
Hello everyone,
I've recently written a virus scanning module for apache2 with
mod_proxy, but I'm now facing the next problem: virus scanning of
SSL traffic. The problem with SSL traffic is of course that we
cannot see inside the connection. With the recent flood of mail
based viruses, one of my customers had to close HTTPS access to
all webmail providers.
I believe there is a less drastic solution that would allow to
preform virus scanning nevertheless. However, Google hasn't
shown me a solution, and neither has mod_proxy/mod_ssl. I also
checked recent archives of the mailing lists. This may be
ignorance on my part, I'd be glad to learn that apache already
offers a simple solution.
When the proxy receives a CONNECT request, it is also told to
what host the client would like to connect. So the proxy could
generate a certificate matching that host name on the fly and
negotiate an SSL connection with the browser. Of course, we
would need a small proxy CA with a CA certificate that the
browser should have imported. The user will only notice anything
if she looks at the certificate.
The proxy can then read the request from the browser, which is
not a proxy request, but as we have read the hostname from the
CONNECT, we can synthesize an SSLproxy request: From
CONNECT trusted.server.com:443 HTT/1.0
[ssl handshake]
GET /some/path/file.html HTTP/1.0
Host: trusted.server.com
Accept: ...
construct
GET https://trusted.server.com:443/some/path/file.html HTTP/1.0
Host: trusted.server.com
Accept: ...
Sending this request to an SSL enabled apache2 proxy will return
the data in the clear, maybe virus scanned (preferably using
mod_clamav :-), and we can write it to the browser through the
SSL connection. So we get Https virus scanning.
There are, of course, some details that should be addressed:
1. The temperary certificates should all use the same key, as key
generation is the most expensive operation. And the
certificates should be cached also.
2. Since some sites require client authentication, we need a
configurable list of sites where we allow the CONNECT in the
traditional way, maybe dynamic as with mod_dnsbl.
3. We should do SSL session management for the client
connections. The correct solution would even maintain one SSL
session between proxy and server per SSL session between
browser and proxy.
Note that the third item implies that we need a tight coupling
between the SSL server part (connection to browser) and the SSL
client part (SSLproxy functionality).
I've written a small proof of concept proxy that accepts CONNECT,
negotiates SSL, builds the GET https request and returns the data
to the browser. Currently it only works for GET requests, but
that is a limitation of the request processing code, not a
problem of the principle. It uses the same certificate all the
time too, but again, this is just a momentary simplification.
So the concept seems to work, but as I'm not too familiar with
the internals of mod_proxy/mod_ssl, I'd like to ask the lists for
some assistance. In particular:
1. Would it be possible to implement this as a protocol filter in
order to bypass mod_proxy_connect? Or do we need to modify
mod_proxy_connect?
2. Would it be possible to reuse the mod_ssl session handling
code?
3. Can we influence mod_ssl's SSLProxy stuff for the `right'
session handling, so that we get one SSL session per browser
SSL session?
4. Would anyone like to help with this project?
Mit herzlichem Gruss
Andreas Mueller
--
Dr. Andreas Mueller, Beratung und Entwicklung
Bubental 53, CH - 8852 Altendorf
Email: ***@othello.ch
Voice: +41 55 4621483 Fax: +41 55 4621485
I've recently written a virus scanning module for apache2 with
mod_proxy, but I'm now facing the next problem: virus scanning of
SSL traffic. The problem with SSL traffic is of course that we
cannot see inside the connection. With the recent flood of mail
based viruses, one of my customers had to close HTTPS access to
all webmail providers.
I believe there is a less drastic solution that would allow to
preform virus scanning nevertheless. However, Google hasn't
shown me a solution, and neither has mod_proxy/mod_ssl. I also
checked recent archives of the mailing lists. This may be
ignorance on my part, I'd be glad to learn that apache already
offers a simple solution.
When the proxy receives a CONNECT request, it is also told to
what host the client would like to connect. So the proxy could
generate a certificate matching that host name on the fly and
negotiate an SSL connection with the browser. Of course, we
would need a small proxy CA with a CA certificate that the
browser should have imported. The user will only notice anything
if she looks at the certificate.
The proxy can then read the request from the browser, which is
not a proxy request, but as we have read the hostname from the
CONNECT, we can synthesize an SSLproxy request: From
CONNECT trusted.server.com:443 HTT/1.0
[ssl handshake]
GET /some/path/file.html HTTP/1.0
Host: trusted.server.com
Accept: ...
construct
GET https://trusted.server.com:443/some/path/file.html HTTP/1.0
Host: trusted.server.com
Accept: ...
Sending this request to an SSL enabled apache2 proxy will return
the data in the clear, maybe virus scanned (preferably using
mod_clamav :-), and we can write it to the browser through the
SSL connection. So we get Https virus scanning.
There are, of course, some details that should be addressed:
1. The temperary certificates should all use the same key, as key
generation is the most expensive operation. And the
certificates should be cached also.
2. Since some sites require client authentication, we need a
configurable list of sites where we allow the CONNECT in the
traditional way, maybe dynamic as with mod_dnsbl.
3. We should do SSL session management for the client
connections. The correct solution would even maintain one SSL
session between proxy and server per SSL session between
browser and proxy.
Note that the third item implies that we need a tight coupling
between the SSL server part (connection to browser) and the SSL
client part (SSLproxy functionality).
I've written a small proof of concept proxy that accepts CONNECT,
negotiates SSL, builds the GET https request and returns the data
to the browser. Currently it only works for GET requests, but
that is a limitation of the request processing code, not a
problem of the principle. It uses the same certificate all the
time too, but again, this is just a momentary simplification.
So the concept seems to work, but as I'm not too familiar with
the internals of mod_proxy/mod_ssl, I'd like to ask the lists for
some assistance. In particular:
1. Would it be possible to implement this as a protocol filter in
order to bypass mod_proxy_connect? Or do we need to modify
mod_proxy_connect?
2. Would it be possible to reuse the mod_ssl session handling
code?
3. Can we influence mod_ssl's SSLProxy stuff for the `right'
session handling, so that we get one SSL session per browser
SSL session?
4. Would anyone like to help with this project?
Mit herzlichem Gruss
Andreas Mueller
--
Dr. Andreas Mueller, Beratung und Entwicklung
Bubental 53, CH - 8852 Altendorf
Email: ***@othello.ch
Voice: +41 55 4621483 Fax: +41 55 4621485