httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 29744] CONNECT does not work over existing SSL connection
Date Wed, 05 Mar 2008 16:03:07 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=29744


Sudhaker <sudhaker@yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sudhaker@yahoo.com
           Priority|P3                          |P2




--- Comment #56 from Sudhaker <sudhaker@yahoo.com>  2008-03-05 08:03:06 ---

We can possibly fork this effort and someone can publish various pre-compiled
and patched "mod_proxy_connect.so". This can take away the pain of individually
re-compiling the module ;-)

Last night I compiled "mod_proxy_connect" for 2.2.3 using patch given at
https://issues.apache.org/bugzilla/attachment.cgi?id=20379 (had to fix
httpd-2.2.3 that comes with CentOS5). It worked great after I replace the
original "mod_ssl_connect.so" with this patched one :-)

I use Stunnel at client-end to theoretically abstracts me from underlying SSL
connections and get a normal local http-proxy at localhost:8080 which bridges
to apache running at my home machine (over SSL). FYI, my <Proxy> settings are
inside SSL VirtualHost and it is not exposed without encryption.

This technique works great for ssh-over-connect with dynamic-forward enabled at
port 1080. Then I can then set socks-proxy to localhost:1080 in any application
and it works.

Other use-case is when I configure my applications to use http-proxy at
localhost:8080 ; This is where things get complicated and I see
"SSL3_GET_RECORD:bad decompression" in my stunnel log file. Setting "sslVersion
 = TLSv1" in my "stunnel.conf" eventually fixes it (not tested
comprehensively). Guess there are some combinations of protocols which breaks
even with this patch.

Followings are possible combinations we may need to test 

Plain-over-SSLv2, SSLv2-over-SSLv2, SSLv3-over-SSLv2, TSLv1-over-SSLv2
Plain-over-SSLv3, SSLv2-over-SSLv3, SSLv3-over-SSLv3, TSLv1-over-SSLv3
Plain-over-TSLv1, SSLv2-over-TSLv1, SSLv3-over-TSLv1, TSLv1-over-TSLv1

Question for SSL expert:- Are there any technical challenges in implementing
SSL-inside-SSL?

Cheers,
Sudhaker


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message