[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] how to share tcp port 443 between OpenVpn and Apache?

  • Subject: Re: [Openvpn-users] how to share tcp port 443 between OpenVpn and Apache?
  • From: Konrad Karl <kk_konrad@xxxxxx>
  • Date: Wed, 19 Jan 2005 19:23:32 +0100

On Wed, Jan 19, 2005 at 04:20:34PM +0100, Fritz Elfert wrote:
> Hi Konrad (or is it Karl?),

my first name is Konrad :)

> Sounds very interesting!
> Having a quick look at Appendix 6 of the SSL Draft, i would suggest
> adding a privat value for the cipher suite. The draft says:
> "
>    Note:          All cipher suites whose first byte is 0xFF are
>                   considered private and can be used for defining
>                   local/experimental algorithms.  Interoperability of
>                   such types is a local matter.
> "
> So this could be done completely transparent _without_ the need for changing
> client- or server side of _any_ SLL application supposing the following 
> scenario (where i call that new beast 'SSLmux'):

thanks very much for the suggested name, really :) and it seems
really doable with not too much effort.

A small drawback is that SSLmux will have to maintain perhaps
many Web connections which will consume resources. Therefore I am
thinking about some file descriptor passing to really hand over the
connected socket to the mux'ed server - i dont know yet with 
my limited knowledge how to do it best but I can imagine it would
be possible. At this time I dont know enough about apache internals
to make an educated guess how to implement this best - perhaps as
a module.

So (on the server side) SSLmux would just accept the connection, decide
what to do, hand over the socket + initial data and then would be
done with this connection.

The client side should not be a problem resource-wise.

Many thanks for your thoughts.


>   SSL-client -> SSLmux -> TCP thru proxies on port 443 -> SSLmux -> (multiple 
> servers)
> On the client side, SSLmux would listen on various ports, intercepting SSL 
> Hello Packets and insert 2 private CipherSuit IDs at the top of the list of 
> supported ciphersuites:
>  1. [0xFF, 0x12] (A flag, indicating that the next 2 bytes are _not_
>                      a ciphersuite but in reality an application mux selector
>  2. [depending on the app]
> On the server side, SSLmux would have to intercept traffic as well and if
> a hello packet arrives which contains the above defined CipherSuite
> [0xFF, 0x12], then use the selector to find the local destination, and
> hand over the hello packet with the previously added special CipherSuites
> stripped off.


Openvpn-users mailing list