- From: Balint Nagy Endre <bne@bne.ind.eunet.hu>
- Date: Fri, 10 Nov 1995 05:58:13 +0100 (MET)
- To: Ari Luotonen <luotonen@netscape.com>
- Cc: http WG <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
[Endre Balint Nagy] > > I see only one unresolved case: > > how to deal with multiple firewalls? [Ari Luotonen] > The SSL Tunneling I-D applies identically to connections between a > client and a proxy, and between two proxies. The inner proxy then > acts as a client to the outer proxy. [Endre Balint Nagy] I read this as: multiple firewall travelsal has no efect on the protocol, it's a proxy implemenation issue. Partially agree. As I see, the (HTTP) protocol has no features to report the server/proxy which generated the error response when something went wrong. Client <-> firewall1 <-> firewall2 <-> server connect -> <- 407 proxy-authenticate connect/proxy-authorisation -> <- ??? connect 407 proxy-authenticate 407 proxy-authenticate ??? In some cases irrelevant, on which stage the problem occured, but in case of authentication it is relevant. If "100 connecting to gatekeeper" stays in the place of the first ???, the client will know that the second 407 generated by gatekeeper. (Alternatively, the second 407 can be handled at the first proxy, depending on authentication scheme.) As far as I know, we have no standardised proxy-authenticate, only have a placeholder. While it is a placeholder, the ssl-tunneling is fine, but when proxy-authenticate is elaborated in detail, some modifications will be needed. Of course, this objection applies mostly to the 1.1 draft, not to ssl-tunneling. > This functionality of going through multiple firewalls is actually > already available in Netscape Proxy Server. With autenthication on both firewalls? Andrew. (Endre Balint Nagy) <bne@bne.ind.eunet.hu>
Received on Thursday, 9 November 1995 21:23:26 UTC