代理服务器上的HTTPS连接
是否可以通过代理服务器建立HTTPS连接?如果是,哪种代理服务器允许这样做?
Is it possible to have HTTPS connections over proxy servers? If yes, what kind of proxy server allows this?
TLS / SSL(HTTPS中的S)保证您和您正在联系的服务器之间没有窃听者,即没有代理。通常,您使用 CONNECT 通过代理打开TCP连接。在这种情况下,代理将无法缓存,读取或修改连接,因此无用。
TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies. Normally, you use CONNECT to open up a TCP connection through the proxy. In this case, the proxy will not be able to cache, read, or modify the connection, and therefore useless.
如果您希望代理能够读取信息,您可以采取以下方法:
If you want the proxy to be able to read information, you can take the following approach:
- 客户端启动HTTPS会话
- 代理透明地拦截连接和
返回一个ad-hoc生成的(可能是
弱)证书K a ,
由证书颁发机构
签署,无条件信任
客户端。 - 代理启动HTTPS会话到目标
- 代理验证SSL
证书的完整性;如果
证书无效,则显示错误。 - 代理流内容,解密
并使用
K a - 客户端显示内容
- Client starts HTTPS session
- Proxy transparently intercepts the connection and returns an ad-hoc generated(possibly weak) certificate Ka, signed by a certificate authority that is unconditionally trusted by the client.
- Proxy starts HTTPS session to target
- Proxy verifies integrity of SSL certificate; displays error if the cert is not valid.
- Proxy streams content, decrypts it and re-encrypts it with Ka
- Client displays stuff
一个例子是Squid的 SSL bump 。同样,可以配置打嗝 来执行此操作。这也是在埃及互联网上用于不太友好的环境。
An example is Squid's SSL bump. Similarly, burp can be configured to do this. This has also been used in a less-benign context by an Egyptian ISP.
请注意,现代网站和浏览器可以使用 HPKP 或内置证书引脚,这种方法失败了。
Note that modern websites and browsers can employ HPKP or built-in certificate pins which defeat this approach.