SSL Termination Proxy on:
[Wikipedia]
[Google]
[Amazon]
A TLS termination proxy (or SSL termination proxy, or SSL offloading) is a proxy server that acts as an
A TLS termination proxy (or SSL termination proxy, or SSL offloading) is a proxy server that acts as an intermediary
An intermediary (or go-between) is a third party that offers intermediation services between two parties, which involves conveying messages between principals in a dispute, preventing direct contact and potential escalation of the issue. In law ...
point between client and server
Server may refer to:
Computing
*Server (computing), a computer program or a device that provides functionality for other programs or devices, called clients
Role
* Waiting staff, those who work at a restaurant or a bar attending customers and su ...
applications, and is used to terminate and/or establish TLS
TLS may refer to:
Computing
* Transport Layer Security, a cryptographic protocol for secure computer network communication
* Thread level speculation, an optimisation on multiprocessor CPUs
* Thread-local storage, a mechanism for allocating vari ...
(or DTLS) tunnels by decrypting and/or encrypting communications. This is different to TLS pass-through proxies that forward encrypted (D)TLS traffic between clients and servers without terminating the tunnel.
Uses
TLS termination proxies can be used to: * secureplaintext
In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted.
Overview
With the advent of comp ...
communications over untrusted networks by tunnelling them in (D)TLS,
* allow inspection of encrypted traffic by an intrusion detection system
An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
to detect and block malicious activities,
* allow network surveillance
Computer and network surveillance is the monitoring of computer activity and data stored locally on a computer or data being transferred over computer networks such as the Internet. This monitoring is often carried out covertly and may be comple ...
and analysis of encrypted traffic,
* enable otherwise unsupported integration with other applications that provide additional capabilities such as content filtering
An Internet filter is software that restricts or controls the content an Internet user is capable to access, especially when utilized to restrict material delivered over the Internet via the Web, Email, or other means. Content-control software dete ...
or Hardware security module,
* enable (D)TLS protocol versions, extensions, or capabilities (e.g. OCSP stapling
The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear ...
, ALPN, DANE
Dane or Danes may refer to:
People Pertaining to Denmark
* Dane, somebody from Denmark
* Danes, an ethnic group native to Denmark
* Danes (Germanic tribe)
Other people
* Dane (name), a surname and a given name (and a list of people with the nam ...
, CT validation, etc.) unsupported by client or server applications to enhance their compatibility and/or security,
* work around buggy/insecure (D)TLS implementations in client or server applications to improve their compatibility and/or security,
* provide additional certificate-based authentication unsupported by server and/or client applications or protocols,
* provide an additional defence-in-depth
Defence in depth (also known as deep defence or elastic defence) is a military strategy that seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating ...
layer for centralised control and consistent management of (D)TLS configuration and associated security policies, and
* reduce the load
Load or LOAD may refer to:
Aeronautics and transportation
*Load factor (aeronautics), the ratio of the lift of an aircraft to its weight
*Passenger load factor, the ratio of revenue passenger miles to available seat miles of a particular transpo ...
on the main servers by offloading the cryptographic processing to another machine.
Types
TLS termination proxies can provide three connectivity patterns: * TLS Offloading of inbound encrypted (D)TLS connection from a client and forwarding communications over a plain text connection to the server. * TLS Encryption of inbound plaintext connection from a client and forwarding communications over an encrypted (D)TLS connection to the server. * TLS Bridging of two encrypted (D)TLS connections to allow inspection and filtering of encrypted traffic by decrypting inbound (D)TLS connection from a client and re-encrypting it with another (D)TLS connection to the server. Combining a TLS Encrypting proxy in front of a client with a TLS Offloading proxy in front of a server, can allow (D)TLS encryption and authentication for protocols and applications that don't otherwise support it, with two proxies maintaining a secure (D)TLS tunnel over untrusted network segments between client and server. A proxy used by clients as an intermediary gateway for all outbound connections is typically called aForward proxy
In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.
Instead of connecting directly to a server that can fulfill a request ...
, while a proxy used by servers as an intermediary gateway for all inbound connections is typically called a Reverse proxy. Forward TLS bridging proxies that allow intrusion detection system to analyse all client traffic are typically marketed as "SSL Forward Proxy".
TLS Offloading and TLS Bridging proxies typically need to authenticate themselves to clients with a digital certificate using either PKIX
In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secu ...
or DANE authentication. Usually the server operator supplies to its reverse proxy a valid certificate for use during (D)TLS handshake with clients. A forward proxy operator, however would need to create their own private CA, install it into the trust store of all clients and have the proxy generate a new certificate signed by the private CA in real time for each server that a client tries to connect to.
When network traffic between client and server is routed via a proxy, it can operate in transparent mode by using the client's IP address
An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
instead of its own when connecting to the server and using the server's IP address when responding to the client. If a Transparent TLS Bridging Proxy has a valid server certificate, neither client nor server would be able to detect the proxy presence. An adversary that has compromised the private key of the server's digital certificate or is able to use a compromised/coerced PKIX CAs to issue a new valid certificate for the server, could perform a man-in-the-middle attack by routing TLS traffic between client and server through a Transparent TLS Bridging Proxy and would have the ability to copy decrypted communications, including logon credentials, and modify content of communications on the fly without being detected.
References
{{reflist Transport Layer Security