httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 29744] CONNECT does not work over existing SSL connection
Date Wed, 04 Mar 2009 13:23:19 GMT

--- Comment #80 from Viktor Ć tujber <>  2009-03-04 05:23:15 PST
Apache's mod_proxy supports tunneling ssh over plaintext HTTP, as suggested on But in this
scenario, an eavesdropping adversary will see
1. that you're trying to proxy a connection
2. the destination server's address
3. your proxy credentials (!!)
4. that you're tunneling ssh
5. the sshd's version string
6. the ssh handshake and subsequent encrypted data

To avoid being compromised, one could instead talk to the proxy using HTTP over
SSL (a.k.a. HTTPS). That way, the adversary can only observe a SSL handshake
with the proxy. Since the proxy also acts as a web-server, the adversary cannot
directly discern between a normal legitimate https page request and an ssh
tunnel negotiation.

So the only difference between the two is that we add an extra crypto layer.
This layer would transparent to the HTTP channel - no modification necessary.
The only requirement is that the server properly maintains this layered model.

>From comment #1 and others, it is shown that Apache actually does use this
model, but only for client -> server traffic: the SSL layer is established and
the HTTP CONNECT request parsed. But in the server -> client direction, the SSL
layer is skipped and data written directly to socket.

So unless I made a mistake, I can only see this problem as a defect in
mod_proxy's code logic - code that only works when there are no extra
communication layers.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message