The HTTP CONNECT tunnel

Posted on Aug 12, 2018

HTTPS is widely used on Internet to secure the data being transferred. However, when a browser needs to send a HTTPS request through proxy, since the request hostname and port number are all encrypted in HTTPS request header and even the proxy cannot get them, then how does the proxy know where to send client's request? To solve this problem, the browser sends a HTTP request with method CONNECT and the target hostname and port number to the proxy. When receiving the CONNECT request, the proxy establishes a TCP connection to the requested hostname on the specified port and then returns HTTP 200 response to tell the browser the requested connection was made. After that, the proxy should just blindly forward the packets back and forth between the client and the server without looking at them until the tunnel is closed. Read all

How to create an IIS website that requires client certificate using self-signed certificates

Posted on Jul 31, 2016

Some IE/IIS issues may involve client certificate. It always took me hours to deploy a test website that requires client certificate. Therefore, I am going to write this blog to record every steps including: creating self-signed root CA, server certificate, client certificate and configuring IIS. Read all

Walkthrough: Decrypt SSL/TLS traffic (HTTPS and HTTP/2) in Wireshark

Posted on Dec 15, 2015

I was recently researching HTTP/2. However I can only see encrypted network packets in Wireshark because all browsers only support HTTP/2 that run over TLS. Actually Wireshark does provide some settings to decrypt SSL/TLS traffic. Read all