Re: Q: Howto - SSL Tunnel for End-to-End encryption

Hi,

Usually this will be the scenario,
[Web Client] <-> [Web Server (Apache)] / [Application Server (WebLogic)] <-> [Database Server (Oracle)] in which case Web Server or Application Servers will become the proxy.

You can look at SSL Tunneling, here are few links, http://muffin.doit.org/docs/rfc/tunneling_ssl.html http://developer.netscape.com/docs/manuals/proxy/ProxyUnx/SSL-TUNL.HTM

If you are looking at in the application layer, XML Encryption would be the way to go,
http://xml.coverpages.org/ni2002-12-10-a.html http://www.w3.org/Encryption/2001/

Thanks,
Chandru.

>>> "Ip, Ting Pong" <pong@cs.ust.hk> 4/27/2003 2:23:33 PM >>>
Hi all,

I am now researching on the implementation of end-to-end encryption for the
following typical web application architecture. [Web Client] <-> [Web Server (Apache)] <-> [Application Server (WebLogic)]
<-> [Database Server (Oracle)]

I would like to make an end-to-end encryption from the web client to application server so that no intermediate nodes could read the transmitting
traffic.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

However, I found that the Apache SSL-Proxy module would initiate the SSL
connection from the web server to the Application Server. Besides, the SSL
connection from web client will terminate on the web server. Therefore, in
either case, the web server can read the transmitting traffic. I am thinking that to "rewrite" or "redirect" the web connection from the web
server to the application server but this would expose the application server to the public.

Other than implementing the end-to-end encryption on the application level,
are there any network architecture that can achieve end-to-end encryption
without bypassing the web server?

Thank you very much.

Pong Received on Mon Apr 28 11:03:07 2003