Gregory_Gerard_
Apr 16, 2010Nimbostratus
SSL Protocol Question
Before pursuing a potentially fruitless experiment, I thought I'd ask first. This is about the SSL/TLS protocol.
Given:
1. A client with a valid certificate (issued to each user) -- C
2. A server with a valid certificate (issued for the www.blah.com) -- S
3. An intermediate server between the two (a reverse proxy like an LTM) with the same certificate (or at least a valid certificate for www.blah.com) -- P
I would like P to terminate the SSL session so that I can inspect certain things in the HTTP stream and then if I'm satisfied, get the client to restart SSL on the same TCP connection (I don't want to lose the IP:port association) and reissue the HTTP command.
I don't wish P to impersonate C to S (because it would require the private certificate) nor snoop. Once P is satisfied, it would simply pass the SSL traffic untouched between C and S.
Is this possible in the SSL/TLS state machine?
I realize it might only be possible if there's a response code (302? 503?) that can be given back to the client right before getting it to talk to P so that C will retry the request without cutting the TCP connection.