W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1995

Re: I-D ACTION:draft-luotonen-ssl-tunneling-01.txt

From: Balint Nagy Endre <bne@bne.ind.eunet.hu>
Date: Fri, 10 Nov 1995 05:58:13 +0100 (MET)
To: Ari Luotonen <luotonen@netscape.com>
Cc: http WG <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <330.bne@bne.ind.eunet.hu>
[Endre Balint Nagy]
> > I see only one unresolved case:
> > how to deal with multiple firewalls?
[Ari Luotonen]
> The SSL Tunneling I-D applies identically to connections between a
> client and a proxy, and between two proxies.  The inner proxy then
> acts as a client to the outer proxy.
[Endre Balint Nagy]
I read this as:
multiple firewall travelsal has no efect on the protocol, it's a proxy
implemenation issue.
Partially agree.
As I see, the (HTTP) protocol has no features to report the server/proxy
which generated the error response when something went wrong.
Client      <->     firewall1           <->           firewall2 <-> server
      connect ->
      <- 407 proxy-authenticate
      connect/proxy-authorisation ->
      <- ???
                   connect
		   407 proxy-authenticate
      407 proxy-authenticate
???
In some cases irrelevant, on which stage the problem occured, but in case of
authentication it is relevant.
If "100 connecting to gatekeeper" stays in the place of the first ???,
the client will know that the second 407 generated by gatekeeper.
(Alternatively, the second 407 can be handled at the first proxy, depending
on authentication scheme.)
As far as I know, we have no standardised proxy-authenticate, only have
a placeholder. While it is a placeholder, the ssl-tunneling is fine, but
when proxy-authenticate is elaborated in detail, some modifications will be
needed.
Of course, this objection applies mostly to the 1.1 draft, not to ssl-tunneling.

> This functionality of going through multiple firewalls is actually
> already available in Netscape Proxy Server.
With autenthication on both firewalls?

Andrew. (Endre Balint Nagy) <bne@bne.ind.eunet.hu>
Received on Thursday, 9 November 1995 21:23:26 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:35 EDT