1

In my corporate environment there is a transparent proxy that requires credentials for internet access (every four hours). In my application I successfully passed credentials like this:

var client = new WebClient();
client.Credientals = new NetworkCredential("username", "password");
string result = client.DownloadString("http://...");
// this works!

However, when my intial request is to a "https://" url, there is an Exception throw: "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

Now my current work around is to:

  • catch the WebException thrown when accessing the "https://" url
  • add my Credentials to a new request to an arbitrary "http://" site
    • (this should "open up" the internet for a four hour window)
  • go back and re-try the "https://" request

I am wondering if there is a better/cleaner way to do this?

Brandon
  • 983
  • 6
  • 15
  • This just seems like a bad idea. Do you really want to expose potentially sensitive data in the clear? – M.Babcock Dec 22 '11 at 19:31
  • There is no sensitive data being sent over the clear (as far as I can tell.) The credentials I add to a generic "http" request are intercepted by the transparent proxy. Then I retry the original "https" request (which now works since transparent proxy has authenticated me) – Brandon Dec 22 '11 at 19:36
  • It sounds like you are building more of a man-in-the-middle or pass-thru server rather than a true proxy (similar but different). Either way if you allow users of the proxy to allow any site to go through it, you could potentially be exposing sensitive data. – M.Babcock Dec 22 '11 at 19:40
  • Basically I am just trying to pass my credentials to get the corporate internet to allow me to access the internet. When I add them to a http request everything is fine, but when I add them to a https request I get the SSL error. Could be the way they have the corporate proxy set up? I am not sure – Brandon Dec 22 '11 at 19:59
  • Could also be that they want you to have to authenticate against their corporate proxy in order to get out. Most browsers do this already... let me guess you're running firefox? – M.Babcock Dec 22 '11 at 20:01
  • Yes, every four hours any outgoing web traffic has to re-authenticate. For standard browsing, the browser pops up a window to prompt for credentials and then adds a "Authenticate Basic XXXX" header and re-submits the request. This example however, I am trying to have my application perform the request in the controller – Brandon Dec 22 '11 at 20:07
  • 1
    Similar to: http://stackoverflow.com/questions/753191/accessing-https-site-through-proxy-server – Arical Dec 22 '11 at 20:08

1 Answers1

8

What you are using right now is an HTTP proxy with authentication. So far so good. But it won't work for HTTPS requests, and here's why:

SSL/TLS is endpoint security. This means that the data must be sent between the client and the server via the single encrypted channel.

When you connect to the HTTP proxy, you tell it "GET the remote resource and send it to me", which contradicts to endpoint security. Here you don't have direct connection to the remote server and you can't validate its credentials. Also the proxy can peep into your data.

In general, it's possible to connect to regular HTTP proxy using HTTPS OR it is possible to ask the HTTP proxy to access HTTPS resource, but this breaks security cause in both cases the client can't validate server's credentials and HTTP proxy can log or alter the data being transferred.

HTTPS proxy works in a different way. Here you tell the HTTPS proxy server "CONNECT to remote address and then only resend whatever is passed". This way the proxy creates an opaque secure channel between the client and the server thus preserving endpoint security. Actually, HTTPS proxy can be used to tunnel any traffic, not necessarily SSL.

Consequently you need to establish the tunnel by sending CONNECT request (with your authentication included), and then send regular HTTP GET (without host/address in the URL) over the same channel - this request will go to the destination server, not to the proxy.

I have serious doubts that your WebClient can be made to establish a tunnel before sending a request. As an option, you can use HTTPBlackbox package of our SecureBlackbox product which lets you access HTTP and HTTPS resources, and supports HTTPS proxies (called WebTunneling in SecureBlackbox) with authentication.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • +1 for detailed explanation. I am curious, whether it is still possible to use HTTP proxy to access HTTPs site via C#? Let's say I don't mind about security? – Gabrielius Nov 13 '15 at 09:40
  • @Gabrielius Yes, from the protocol point of view it will be just a request for "https://address/path" resource. In fact, for the HTTP proxy it doesn't matter much from where to take the file (given that the proxy supports the requested protocol, and nowadays the set is usually limited to HTTP and HTTPS and sometimes FTP). – Eugene Mayevski 'Callback Nov 13 '15 at 20:07
  • May you could advise me, why I am experiencing problems when accessing HTTPs address through HTTP WebProxy (using `C#`)? Everything is fine with HTTP sites though. I get `Timeout` or `Gateway` errors. As I mentioned before, I don't mind if proxy can see the traffic. – Gabrielius Nov 16 '15 at 11:59
  • @Gabrielius please post your questions with all relevant details as a new question. StackOverflow is not a forum and is not intended for lengthy discussions with changing topic. – Eugene Mayevski 'Callback Nov 16 '15 at 17:42
  • I would be grateful if you looked at my [question](http://stackoverflow.com/questions/33810204/making-a-https-request-using-a-http-proxy) and shed some light on it. – Gabrielius Nov 24 '15 at 09:55