W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Fri, 4 Dec 2015 20:10:43 -0600
Message-ID: <CACuKZqHPT8j3o_zKdaqTL8dBAic=BK3XFi6aw2xidKLzKvNiDA@mail.gmail.com>
To: Alex Rousskov <rousskov@measurement-factory.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Willy Tarreau <w@1wt.eu>
On Fri, Dec 4, 2015 at 7:42 PM, Alex Rousskov <
rousskov@measurement-factory.com> wrote:

> > The other one (less
> > important for the long term, might be a technical issue for the short
> term)
> > was that doing TLS inside a CONNECT tunnel over a TLS proxy connection
> was
> > not the easiest thing to do, probably in part because SSL libs APIs are
> even
> > harder to use between chained buffers than they are between a buffer and
> a
> > file descriptor.
> Yes, I know. We have added https:// proxy support to Curl and had to
> jump through a few hoops, including OpenSSL bugs:
> https://github.com/bagder/curl/pull/305

Ideally, client should be able to use multiple tunnels, plus one proxy

  client - Socks tunnel - CONNECT tunnel - more tunnels... - proxy - server

there are multiple levels of connections; each should be able to do TLS
so that it cannot be spied by the underlying connection.

I have a java http client that does just that, if anyone is interested.

Zhong Yu
Received on Saturday, 5 December 2015 02:11:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC