1

(4 replies, posted in wolfSSL)

Create a second, independent wolfSSL session for the target site. Don't bind it to the raw socket with wolfSSL_set_fd(); bind it to custom I/O callbacks, and here the key step is routing its reads/writes through wolfSSL_read()/wolfSSL_write() on the first (proxy) session instead of the socket directly. That way the second handshake's bytes get encrypted by the proxy session before hitting the wire, the proxy forwards them in the clear to the target, and the target sees a normal TLS handshake. Two TLS sessions stacked on one TCP connection, tunneled through each other.