September 18, 2014

SSL Termination Proxy for Windows

There are many open source products developed mainly for Linux, but work on Windows, e.g. Rabbit MQ, OpenSSL and other enterprise solutions.
When developing enterprise software based on Windows, the importance of storing encryption keys in Windows Certificate Store becomes an issue.
The vulnerability of not working with the Windows Certificate Store is storage of encryption keys on the file system and not in a secure location as defined by Microsoft. The risk is not that high since both NTFS file system and Windows Certificate Store can be protected by an ACL, however, this is a standard for the customers I work with.


  1. Each framework implements the SSL handshake distinctly, e.g. The implementation of the .NET framework is not the same as OpenSSL or Erlang. 
  2. The solution should not be coupled with a specific protocol, e.g. HTML, AMQP or any proprietary protocol.


  1. The enterprise software should not be recompiled to overcome the challenge.
  2. Performance should be minimally affected (it's very hard).
  3. The solution should support both SSL and client-side authentication.
  4. Private keys must be stored in the Windows Certificate Store and marked as not exportable. In fact, preferably to store the private key on HSM, but it's just a matter of changing the Windows CSP (Crypto Service Provider).


Since the solution should support both access to the Windows Certificate Store and transparent protocols, the OpenSSL solution is not good enough due to inability to work with the Windows Certificate Store. In addition, reverse proxies with the ability to terminate SSL channels, e.g. NGINX and HAProxy, are also unable to comply with the requirements. 
There is also an option to use WCF transportation, which works pretty fast, secure and it complies with certificate storage requirements etc. However, the main problem with this solution is that code changes required to replace the tunnel of the system, especially if the transport based on 3rd party solutions.

A walk-through the solution

The solution is pretty simple and even scalable. The main idea is to develop SSL termination socket proxy, which means that it is transparent for any application. 
The architecture diagram illustrated below for Rabbit MQ, but it can work for any software:

Since Socket is lower than the application layer in the OSI model, it is much easier to control the flow in this level. Hence, the client should not be changed, except the port on the target server. On the server side, I would protect the Rabbit MQ server to refuse any connections from non-localhost address by configuration. As for the SSL termination socket proxy - it is responsible for all security requirements, e.g. Certificate revocation verification, mutual authentication, using the Windows Certificate Store to bind to the TCP listener etc.
As for the performance... If you develop in lower languages, it may be fast enough. On the other hand, if your'e and expert in non-blocking and fully asynchronous code writing, it can work fast enough even in .NET and Java.


I worked with two of my colleagues - Guy Baron and Nir Rotshtein - both are very experienced in software architecture and development. Folks - it's my pleasure working with you!


  1. Great. I also recommend you to try data room for data storage. Read virtual data room review. Such systems are very efficient!

  2. Thanks for sharing this interesting blog with us.My pleasure to being here on your blog..I wanna come beck here for new post from your site. VPN to Unblock British TV

  3. Your blog is very useful for me.I really like you post.Thanks for sharing.


  4. Another important category is that of executive security. Needless to say, high-profile executives of a corporate house are prone to threats like kidnapping. The firm must offer security to these individuals at workplaces, residences and while they travel.guarantor loans

  5. Thank You for sharing your article, This is an interesting & informative blog. It is very useful for the developer like me. Kindly keep blogging. Besides that Wisen has established as Best Corporate Training in Chennai .

    Nowadays JavaScript has tons of job opportunities on various vertical industry. Know more about JavaScript Framework Training visit Corporate Training Companies in India.

    This post gives me detailed information about theechnology. corporate training companies in india

  6. These are truly amongst the wonderful informative blogs.

  7. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me..
    I am a regular follower of your blog. Really very informative post you shared here.
    Kindly keep blogging. If anyone wants to become a Front end developer learn from Javascript Training in Chennai .
    or Javascript Training in Chennai.
    Nowadays JavaScript has tons of job opportunities on various vertical industry. ES6 Training in Chennai