Question
- When a client connects to a Proxy with SSL Transparency, what is the pattern of connections and SSL/TLS handshakes?
- What is the order of operations for clients performing a TCP and TLS handshake with a Proxy that has a Transparent SSL Profile enabled?
Environment
- Proxy/Proxies
- Transparent SSL
Answer
An important distinction between a regular SSL/TLS terminating proxy and one that uses Transparent SSL is that Silverline does not Server Hello the client until the backend/origin has Server Hello'ed us back. Conversely, with a Silverline Proxy that does not use SSL Transparency, the full SSL handshake is completed between client and proxy, then another distinct handshake is performed with the backend.
Connection flow:
- Client/Proxy TCP handshake
- Proxy/Backend TCP handshake
- Client sends Proxy SSL/TLS Client Hello (can be simultaneous with Step 2)
- Proxy sends Backend the client's SSL/TLS Client Hello
- Backend sends Proxy the SSL/TLS Server Hello and key exchange occurs (full SSL/TLS handshake)
- Proxy sends client the SSL/TLS Server Hello and completes the handshake started in Step 2
Related Content