[openssl-users] SSL based Tunnel implementation

[Prabhat Puroshottam]

Hi,

We have software product which allows for Clients (C) to communicate with Agents (A) via a Proxy server (P). Client, Proxy and Agent all are part of our product suite. The data transferred can even be in Gigabytes (which actually are large files being transferred). Multiple client can communicate with multiple agents via the same Proxy. All data transfer happens via SSL. Right now, all data from coming from C is first decrypted at P and then encrypted again before being written to P, since separate connections exist between C & P and P & A, with separate SSL connections as well. This decryption/encryption at P is making overall communication slow, and is putting too much CPU load on P.

To improve this situation, we plan to make P a sort of tunnel for data coming from C to A and that coming from A to C. Here is the proposed process (similar to a socks proxy):

1. TCP Connection and Handshake: C <==> P. Call this connection C1.
2. SSL Handshake: C <==> P.
3. Application level Handshake and authentication: C <==> P.
4. TCP Connection and Handshake: P <==> A. Call this connection C2. On completion of this step C has successfully authenticated itself to P, and all data coming from C is henceforth copied to A and vice-versa.
5. SSL Handshake: C <==> A. This handshake is between C and A. P just forwards all data coming from C1 to C2. So C and A who will negotiate the communication parameters between themselves including SSL cipher suite, etc.
6. Application Level Data Transfer: P just copies all data coming from C1 to C2 and vice-versa.
a. C => P => A (No encryption/decryption/interpretation – just plain copying of all data).
b. A => P => C (No encryption/decryption/interpretation – just plain copying of all data).
7. At some point, application Level Data Transfer Ends, and connections close.

I have two questions:

1. Do you foresee any problem/difficulties implementing this approach?
2. Is their a concern of man in the middle attack between step 4 and 5? If yes, how can we overcome that - any pointers?

-Prabhat

PS: We are using openssl library, and this is security related question, that is why I have asked this here. Please forgive me if you feel this post doesn't belong here.