The Design and Implementation of a SSL Proxy For Content Switch

Introduction The SSL Protocol The Transmission Control Protocol/Internet Protocol (TCP/IP) governs the transport and routing of data over the Internet. Other protocols, such as the HyperText Transport Protocol (HTTP), Lightweight Directory Access Protocol (LDAP), or Internet Messaging Access Protocol (IMAP), run "on top of" TCP/IP in the sense that they all use TCP/IP to support typical application tasks such as displaying web pages or running email servers.

Figure 1

SSL runs above TCP/IP and below high-level application protocols

The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP. It uses TCP/IP on behalf of the higher-level protocols, and in the process allows an SSL-enabled server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection. SSL provides for secure communication between client and server by allowing mutual authentication, the use of digital signatures for integrity, and encryption for privacy. The protocol is designed to support a range of choices for specific algorithms used for cryptography, digests, and signatures. This allows algorithm selection for specific servers to be made based on legal, export or other concerns, and also enables the protocol to take advantage of new algorithms. Choices are negotiated between client and server at the start of establishing a protocol session. SSL is used to protect many different types of sensitive data. The most familiar is the on-line store ("abcxyz.com"), which uses SSL to protect their customers' credit-card numbers. On-line banks, bill-payment services and stockbrokers use SSL to protect their customer's account passwords and trading information. SSL is also used to protect data in B2B networks, secure ftp and telnet, and many other uses.

How does the SSL Proxy Work? SSL Proxy communicates using Secure Socket Layer, HTTPS(Secure HyperText Transport Protocol) with the client and uses HyperText Transport Protocol (HTTP) to communicate with the server. It converts the HTTPS request to HTTP and sends the request to the real server and the response from the real server is encrypted using SSL. Goal The goal of this thesis work is to design and implement an efficient SSL PROXY, which can load balance the web requests both on the Transport/L4 level and the Application level. The incoming packets will be routed based on IP address, TCP/UDP port number, URL regular expression, HTTP Meta header, and the values of XML tags. The tasks include: Design Efficient SSL Proxy that can Handle Multiple SSL Requests Handle session reusability Handle Keep-Alive sessions Thesis Plan Designing a concurrent SSL Proxy that can handle multiple SSL Requests, Study and analyze how session reusability can be achieved Study and analyze how Keep-Alive sessions can be maintained Studies show that processing time can be drastically reduced if Session reusability and Keep-Alive sessions are handled. Implementation HTTPS is very slow compared to HTTP, so designing and implementing an efficient proxy will be challenging. The proxy will be making routing decisions based on IP address, TCP/UDP port number, URL regular expression, HTTP Meta header, and the values of XML tags Testing The implementation will be tested thoroughly on the advanced content switch test-bed in our computer science lab. The network configuration will include one content switch, four real servers. Deliverables The deliverables will include: Design documentation for the SSL Proxy. Source code for implementing the SSL Proxy on Linux Testing documentation

References [1] OpenSSL: The Open Source toolkit for SSL/TLS (http://www.openssl.org) [2] SSL and TLS, by Eric Rescorla [3] SSL and TLS Essentials, by Stephen Thomas [4] mod_ssl: The Apache Interface to OpenSSL (http://www.modssl.org) [5] HTTP Over TLS
ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-https-02.txt

The specification on how to run HTTP over SSL/TLS [6] Tunneling TCP based protocols through Web proxy servers
http://www.www.alternic.org/drafts/drafts-l-m/draft-luotonen-web-proxy-tunneling-01.txt

The specification for the HTTP CONNECT method [7] Analysis of SSL 3.0 Protocol
http://www.counterpane.com/ssl.html

D. Wagner and B. Schneier's USENIX analysis of SSLv3 [8] HyperText Transfer Protocol (HTTP), Version 1.1 (Internet Draft)
http://www.w3.org/Protocols/HTTP/1.1/draft-ietf-http-v11-spec-rev-06.txt

The application layer protocol Apache+mod_ssl uses over SSL/TLS [9] HyperText Transfer Protocol (HTTP), Version 1.0 (RFC 1945)
http://www.ietf.org/rfc/rfc1945.txt

The application layer protocol Apache + mod_ssl uses over SSL/TLS