HTTPS traffic (not SSL termination)

[oksana fishman <ok...@gmail.com>]

Hi,
Is it possible to configure a trafficserver to work with HTTPS traffic?
To forward it to the server / parse it ? Only parse the visible fields, not
to perform SSL termination ?

Thanks

Re: HTTPS traffic (not SSL termination)

[James Peach <ja...@me.com>]

On Feb 6, 2013, at 7:21 AM, Leif Hedstrom <zw...@apache.org> wrote:

> On 2/6/13 12:35 AM, oksana fishman wrote:
>> I can see a certificate, for example.
>> How https traffic can be seen by ATS plugin?
> 
> You mean the SSL handshake? That would be Layer 5, not Layer 7 (HTTPS). I don't think we expose any APIs for a plugin to intercept or participate in the handshake, but James would know better.

I guess that I'm still not totally clear about what is needed here. The only way I can think of to see SSL-encapsulated traffic without terminating the SSL channel is to write a plugin that does TCP pass through. You could easily write a simple protocol plugin that is able to examine the clear-text portions of the SSL handshake.

If you want to terminate SSL and do something with that, then you can use TSNetAcceptNamedProtocol() or TSPortDescriptorAccept(). Both of these are really intended for writing protocol plugins. TSNetAcceptNamedProtocol() lets you accept a connection based on a NPN (http://en.wikipedia.org/wiki/Next_Protocol_Negotiation) name. TSPortDescriptorAccept() lets you accept a connection on a socket that is described by a port descriptor string (ie. the format that records.config uses).

If you want to terminate HTTPS and examine the SSL parameters of the underlying session, we don't currently have any APIs to do that. There has been some interest in exposing that information (https://issues.apache.org/jira/browse/TS-1584), however I would like to add an API that is more general than that proposal. Please add your comments to that bug if this is your area of interest.

J

Re: HTTPS traffic (not SSL termination)

[Leif Hedstrom <zw...@apache.org>]

On 2/6/13 12:35 AM, oksana fishman wrote:
> I can see a certificate, for example.
> How https traffic can be seen by ATS plugin?

You mean the SSL handshake? That would be Layer 5, not Layer 7 (HTTPS). I 
don't think we expose any APIs for a plugin to intercept or participate in 
the handshake, but James would know better.

-- Leif

Re: HTTPS traffic (not SSL termination)

[oksana fishman <ok...@gmail.com>]

I can see a certificate, for example.
How https traffic can be seen by ATS plugin?

On Tue, Feb 5, 2013 at 6:08 AM, Leif Hedstrom <zw...@apache.org> wrote:
>
> On 2/4/13 9:02 AM, oksana fishman wrote:
>>
>> Hi,
>>
>> Thank you for quick response
>> I don't mean level 3 and 4.
>> I mean HTTPS traffic
>
>
> How are you going to see anything in the HTTPS requests without doing SSL termination on the proxy server?
>
> -- Leif
>

Re: HTTPS traffic (not SSL termination)

[Leif Hedstrom <zw...@apache.org>]

On 2/4/13 9:02 AM, oksana fishman wrote:
> Hi,
> Thank you for quick response
> I don't mean level 3 and 4.
> I mean HTTPS traffic

How are you going to see anything in the HTTPS requests without doing SSL 
termination on the proxy server?

-- Leif

Re: HTTPS traffic (not SSL termination)

[oksana fishman <ok...@gmail.com>]

Hi,
Thank you for quick response
I don't mean level 3 and 4.
I mean HTTPS traffic

On Mon, Feb 4, 2013 at 4:48 PM, Leif Hedstrom <zw...@apache.org> wrote:

> On 2/4/13 5:20 AM, oksana fishman wrote:
>
>> Hi,
>> Is it possible to configure a trafficserver to work with HTTPS traffic?
>> To forward it to the server / parse it ? Only parse the visible fields,
>> not
>> to perform SSL termination ?
>>
>>
>
> What visible fields? You mean on Level 3 and 4 ?
>
> -- Leif
>
>

Re: HTTPS traffic (not SSL termination)

[Leif Hedstrom <zw...@apache.org>]

On 2/4/13 5:20 AM, oksana fishman wrote:
> Hi,
> Is it possible to configure a trafficserver to work with HTTPS traffic?
> To forward it to the server / parse it ? Only parse the visible fields, not
> to perform SSL termination ?
>


What visible fields? You mean on Level 3 and 4 ?

-- Leif