Download The Design and Implementation of a SSL Proxy

The Design and Implementation of a SSL Proxy
For Content Switch
Thesis Proposal
by
Ganesh Kumar Godavari
Computer Science Department
University of Colorado at Colorado Springs
Approved by:
Dr. Edward Chow
(Advisor)
Dr. Charles Shub
Dr. Jugal Kalitha
1.Introduction
This Thesis deals with the design and implementation of SSL PROXY for content
switch. SSL Proxy communicates using Secure Socket Layer, HTTPS (Secure
HyperText Transport Protocol) with the client and uses HyperText Transport
Protocol (HTTP) to communicate with the server. It converts the HTTPS request
to HTTP and sends the request to the real server and the response from the real
server is encrypted using SSL.
Figure 1
How SSL Proxy works
The SSL protocol is a session layer protocol that runs above TCP/IP and below
higher-level protocols such as HTTP or IMAP. It uses TCP/IP on behalf of the
higher-level protocols, and in the process allows an SSL-enabled server to
authenticate itself to an SSL-enabled client, allows the client to authenticate itself
to the server, and allows both machines to establish an encrypted connection.
The Transmission Control Protocol/Internet Protocol (TCP/IP) provides the
transport and routing of data over the Internet. Application protocols such as the
HyperText Transport Protocol (HTTP), Lightweight Directory Access Protocol
(LDAP), or Internet Messaging Access Protocol (IMAP), run either directly or
indirectly through SSL "on top of" TCP/IP.
Figure 2
SSL runs above TCP/IP and below high-level application protocols
SSL provides for secure communication between client and server by allowing
mutual authentication, the use of digital signatures for integrity, and encryption
for privacy. The protocol is designed to support a range of choices for specific
algorithms used for cryptography, digests, and signatures. This allows algorithm
selection for specific servers to be made based on legal, export or other
concerns, and also enables the protocol to take advantage of new algorithms.
Choices are negotiated between client and server at the start of establishing a
protocol session.
SSL is used to protect many different types of sensitive data. The most familiar is
the online store (amazon.com, ebay.com), which uses SSL to protect their
customers' credit-card numbers. On-line banks, bill-payment services and
stockbrokers use SSL to protect their customer's account passwords and trading
information. SSL is also used to protect data in B2B networks, secure ftp and
telnet, and many other uses.
1.1 IXP1200
The Intel® IXP1200 Network Processor [6] is the cornerstone of the Intel®
Internet Exchange Architecture (Intel® IXA) [7]. It combines the best attributes of
a network ASIC with the flexibility, performance, and scalability of a
programmable embedded processor to accelerate development of nextgeneration Internet products. The IXP1200 Network Processor is specifically
designed for network control tasks, such as wire-speed switching and routing of
packets or cells in real time.
1.2 IXP12EB
The IXP12EB Ethernet Evaluation Kit is a powerful tool for developing and
verifying hardware and software for the IXP1200 Network Processor. The kit
supports the IXP12DE software development environment for programming the
Network Processor’s microengines and integrated Intel StrongARM* processor
core. The IXP12EB is already set up in our lab. The configuration is shown in
Figure 3.
Figure 3. IXP12EB set up
1.3 Introduction to WindRiver VxWorks and Tornado IDE
Tornado[8] is an integrated environment for software cross-development. It
provides an efficient way to develop real-time and embedded applications with
minimal intrusion on the target system. Tornado comprises the following
elements [8,9]:



VxWorks [10], a high-performance real-time operating systems
Application-building tools (compilers and associated programs)
An integrated development environment (IDE) that facilitates managing
and building projects, establishing and managing host-target
communication, and running, debugging, and monitoring VxWorks
applications
The Tornado environment is designed to provide this full range of features
regardless of whether the target is resource-rich or resource-constrained.
Tornado facilities execute primarily on a host system, with shared access to a
host-based dynamic linker and symbol table for a remote target system. The
target server and target agent mediates communication between the host tools
and VxWorks.
The development environment is already set up in our lab as shown in Figure 4.
Figure 4. Development Environment set up
2.Goal
The goal of this thesis work is to design and implement an efficient SSL PROXY,
which can load balance the web requests on the Application level. The incoming
packets will be routed based on IP address, TCP port number, URL, HTTP Meta
header, and the value of XML tags. The tasks include:
Design Efficient SSL Proxy that can
 Handle Multiple SSL Requests
 Handle session reusability
 Handle Keep-Alive sessions
3.Thesis Plan
The thesis will include the following activities
Work done Till-Date
 Designing a concurrent SSL Proxy (dynamic forking) in Linux that can
handle multiple SSL Requests
 Study and analyze how session reusability can be achieved
Next 2 week
 Study and analyze how Keep-Alive sessions can be maintained
 Study and analyze how to achieve preforking.
 Compare the performance of preforking and dynamic forking versions
Next 2 weeks
 Port OpenSSL to VxWorks
 Compare networking support between Linux and VxWorks
Next 3 weeks
 Port the SSL Proxy to IXP network Processor and compare performance
with Linux based SSL Proxy
 Compare the performance of SSL Proxy on Linux and IXP-12EB
4. Implementation
HTTPS is very slow compared to HTTP, so designing and implementing an
efficient proxy will be challenging. The proxy will be making routing decisions
based on IP address, TCP port number, URL, HTTP Meta header, and value of
XML tags
5.Testing
The implementation will be tested on the advanced content switch test-bed in our
computer science lab. The network configuration will include one content switch,
3/4 real servers.
6.Deliverables
The deliverables will include:
 Design documentation for the SSL Proxy.
 Source code for implementing the SSL Proxy on Linux and IXP 12EB
 Testing documentation
7.References
[1] OpenSSL: The Open Source toolkit for SSL/TLS (http://www.openssl.org)
[2] SSL and TLS, by Eric Rescorla
[3] SSL and TLS Essentials, by Stephen Thomas
[4] mod_ssl: The Apache Interface to OpenSSL (http://www.modssl.org)
[5] HTTP Over TLS
ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-https-02.txt
The specification on how to run HTTP over SSL/TLS
[6] Tunneling TCP based protocols through Web proxy servers
http://www.www.alternic.org/drafts/drafts-l-m/draft-luotonen-web-proxy-tunneling-01.txt
The specification for the HTTP CONNECT method
[7] Analysis of SSL 3.0 Protocol
http://www.counterpane.com/ssl.html
D. Wagner and B. Schneier's USENIX analysis of SSLv3
[8] HyperText Transfer Protocol (HTTP), Version 1.1 (Internet Draft)
http://www.w3.org/Protocols/HTTP/1.1/draft-ietf-http-v11-spec-rev-06.txt
The application layer protocol Apache+mod_ssl uses over SSL/TLS
[9] HyperText Transfer Protocol (HTTP), Version 1.0 (RFC 1945)
http://www.ietf.org/rfc/rfc1945.txt
The application layer protocol Apache + mod_ssl uses over SSL/TLS
[10] Intel® IXA (Internet Exchange Architecture),
http://developer.intel.com/design/ixa/index.htm
[11] WindRiver Tornado Development Tools,
http://www.windriver.com/products/html/tornado2.html
[12] Tornado User’s Guide (Windows Version) 2.0
[13] WindRiver VxWorks, http://www.windriver.com/products/html/vxwks54.html
Intel®, IXP-1200, IXP-12EB is the registered Trademarks of Intel Corporation
Tornado, VxWorks is the registered Trademarks of Wind River Systems, Inc
Linux, Apache, Openssl protected under the GNU General Public License