In these times when security is becoming ever more important the SSL Tunneling Protocol is extremely important, it allows a web proxy server to act as a tunnel for SSL enhanced protocols. The protocol is used when any connected client makes a HTTP request to the proxy server and asks for a SSL tunnel to be initiated. On the HTTP protocol level, the handshake required to initiate the SSL tunneling connection is simple. There is little difference to an ordinary HTTP request except that a new ‘Connect’ method is used and the parameter passed is not a full URL but instead a destination port number and hostname separated by a colon.
The port number is always required with ‘CONNECT’ requests because the tunneling method is generic and there is no protocol specified, hence default port numbers cannot be used reliably. The general syntax for the request is as below ;
CONNECT <host>:<port> HTTP/1.0
HTTP Request Headers
The successful response would be a connection established message, followed by another empty line. After the successful response the connection will then pass all the data transparently to the destination server and pass through any replies from the server. In practice what is happening is the proxy is validating the initial request, establishes the connection and then takes a step back. After this initial stage the proxy merely forwards data back and forth between the client and the server. If either side closes the connection then the proxy will cause both connections to be closed and no mor tunneling will take place until a new connection is established between the server and client.
The proxy does have the ability to respond to error messages within the SSL tunnel. If this error is generated in the initial stages then the connection will not be established, if it is already connected then the proxy will close the connection after the error response has been sent. However it is important to remember especially where security is important that this SSL tunneling protocol is not specific to SSL and therefore has no in depth security. The tunnelling mechanism used in this instance is a generic one and can in fact be used for any protocol. This means that there is no requirement either for the proxy to support SSL either as the server is merely establishing a connection and then forwarding data without any processing.