Re: SSL/TLS everywhere fail from Zhong Yu on 2015-12-05 (ietf-http-wg@w3.org from October to December 2015)

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Fri, 4 Dec 2015 20:10:43 -0600
To: Alex Rousskov <rousskov@measurement-factory.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Willy Tarreau <w@1wt.eu>
Message-ID: <CACuKZqHPT8j3o_zKdaqTL8dBAic=BK3XFi6aw2xidKLzKvNiDA@mail.gmail.com>

On Fri, Dec 4, 2015 at 7:42 PM, Alex Rousskov <
rousskov@measurement-factory.com> wrote:

> > The other one (less
> > important for the long term, might be a technical issue for the short
> term)
> > was that doing TLS inside a CONNECT tunnel over a TLS proxy connection
> was
> > not the easiest thing to do, probably in part because SSL libs APIs are
> even
> > harder to use between chained buffers than they are between a buffer and
> a
> > file descriptor.
>
> Yes, I know. We have added https:// proxy support to Curl and had to
> jump through a few hoops, including OpenSSL bugs:
> https://github.com/bagder/curl/pull/305
>
>
>

Ideally, client should be able to use multiple tunnels, plus one proxy

  client - Socks tunnel - CONNECT tunnel - more tunnels... - proxy - server

there are multiple levels of connections; each should be able to do TLS
so that it cannot be spied by the underlying connection.

I have a java http client that does just that, if anyone is interested.
  http://bayou.io/release/0.9/docs/http/Proxy_and_Tunnels.html

Zhong Yu
bayou.io

Received on Saturday, 5 December 2015 02:11:14 UTC