[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] how to share tcp port 443 between OpenVpn and Apache?


  • Subject: Re: [Openvpn-users] how to share tcp port 443 between OpenVpn and Apache?
  • From: Fritz Elfert <fritz.elfert@xxxxxxxxxxxx>
  • Date: Wed, 19 Jan 2005 16:20:34 +0100

Hi Konrad (or is it Karl?),

Sounds very interesting!

Having a quick look at Appendix 6 of the SSL Draft, i would suggest
adding a privat value for the cipher suite. The draft says:

"
   Note:          All cipher suites whose first byte is 0xFF are
                  considered private and can be used for defining
                  local/experimental algorithms.  Interoperability of
                  such types is a local matter.

"

So this could be done completely transparent _without_ the need for changing
client- or server side of _any_ SLL application supposing the following 
scenario (where i call that new beast 'SSLmux'):

  SSL-client -> SSLmux -> TCP thru proxies on port 443 -> SSLmux -> (multiple 
servers)

On the client side, SSLmux would listen on various ports, intercepting SSL 
Hello Packets and insert 2 private CipherSuit IDs at the top of the list of 
supported ciphersuites:

 1. [0xFF, 0x12] (A flag, indicating that the next 2 bytes are _not_
                     a ciphersuite but in reality an application mux selector
 2. [depending on the app]

On the server side, SSLmux would have to intercept traffic as well and if
a hello packet arrives which contains the above defined CipherSuite
[0xFF, 0x12], then use the selector to find the local destination, and
hand over the hello packet with the previously added special CipherSuites
stripped off.


Shouldn't be too much work to implement something like that ...

Ciao
 -Fritz 

On Wednesday, 19. January 2005 14:18, Konrad Karl wrote:
> Hi all,
>
> I already had some conversation about this with Charles Duffy
> but I would like to reach a wider audience.
>
> It would be really convenient to be able to share tcp port 443
> between this two applications, because many proxies are
> configured to only permit the HTTP CONNECT method on
> port 443 and additional ip addresses are difficult to get.
>
> idea:
>
>  add some characteristics to the SSL client hello message
>  either in the 'random bytes' or add some private ciphers
>  which are unlikely in normal web client requests.
>
>  on the server a small frontend process would analyze the
>  client hello, decide on the above characteristics what
>  server would be the appropriate candidate and then
>  forward the connection (including the first hello message)
>  to the right server.
>
>  another possibility would perhaps be to hack the
>  apache (2.0 in my case)  mod_ssl but this seems more
>  difficult to me...
>
> opinions/more_intelligent_ideas  are  welcome.
>
> PS: OpenVpn is a great and really working piece of software.
>
> Konrad
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

-- 
Fritz Elfert <fritz.elfert@xxxxxxxxxxxx>                     Millenux GmbH
Lilienthalstr. 2                                  Phone: +49 711 88770 300
70825 Stuttgart                                     FAX: +49 711 88770 349
--------------------------------------------------------------------------

Attachment: pgpwuUkdotYWN.pgp
Description: PGP signature