search for: middlebox

...oS=none ...) and seeing > > whether that makes any difference? > > Yes - setting -oIPQoS=none on the client allows for a successful > connection to the server. > > Would you still like me to check on the other things or is that enough > to go on with? No - it looks like a middlebox in Amazon's network might be getting confused when the DSCP value changes during the connection. Thanks a lot for helping to chase this down. Cheers, Damien

Fix bug ConnectTimeout=N only works on the first ConnectionAttempts https://bugzilla.mindrot.org/show_bug.cgi?id=2918 --- sshconnect.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sshconnect.c b/sshconnect.c index 4862da5e..b837a83a 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -454,11 +454,12 @@ waitrfd(int fd, int *timeoutp) { struct pollfd pfd; struct timeval

Christian Weisgerber <naddy at mips.inka.de> writes: > On 2020-01-12, Dustin Lundquist <dustin at null-ptr.net> wrote: > >> I think the intended application is to proxy through a proxy host provided by the service provider. If SSH had a SNI like feature where a host identifier was passed in plain text during the initial connection. This way the user would just need to

Hi, On Mon, Jan 13, 2020 at 03:16:00PM +0000, Jochen Bern wrote: > Out of interest: > 1. If an extended mechanism were to be implemented, which server pubkey > do you expect to be seen/stored/verified by the client? The proxy's > / v4 middlebox's, or the v6 backend's? Or would you require that all > server-side machines use the *same* host keypairs? I'd do the "SNI" part before exchanging server host keys ("just as it is done in https, for good reason"). That way, every backend can have its own key....

On Wed, 3 Apr 2019, Adam Eijdenberg wrote: > > From: Damien Miller <djm at mindrot.org> > > Thanks for testing - are you able to see if there's anything in > > the server logs? > > Hi Damien, > > I've been able to reproduce being unable to successfully connect to > EC2 instances launched with either Amazon Linux 2 AMI (HVM) or Amazon > Linux AMI

Hi, The new interesting piece of information regarding the problem I (and others) reported here on February, is that it's reproducible on some Cisco-firewalled networks. I concluded that because that's what my workplace is using, and also seen this report on https://www.nowhere.dk/articles/natty-narwhal-problems-connecting-to-servers-behind-cisco-firewalls-using-ssh I've also

Hi David, On Wed, 2007-07-25 at 10:38 -0500, David A. Greene wrote: > I'm getting a lot of errors from svn like this: > > svn: REPORT request failed on '/svn/llvm-project/!svn/vcc/default' > svn: REPORT of '/svn/llvm-project/!svn/vcc/default': Could not read response > body: Secure connection truncated (https://llvm.org) What is

I'm getting a lot of errors from svn like this: svn: REPORT request failed on '/svn/llvm-project/!svn/vcc/default' svn: REPORT of '/svn/llvm-project/!svn/vcc/default': Could not read response body: Secure connection truncated (https://llvm.org) I've now been checking out llvm-gcc for two days. Is there a problem with the server? I don't have this issue with other

I am in the network that is behind the Zscaler firewall. Virtually all ports except 80 and 443 are closed. ssh through any of ports 80 and 443 is disallowed based on protocol content analysis. It would be nice if OpenSSH would have some features that would allow the user to break out of such network. I suggest that OpenSSH adds the SSL tunneling feature: 1. The server would have the

> > And for other services like IMAP, SMTP, LDAP (maybe not LDAP) constant > changing certs even with a long lived root may get old for your customers. Why? I have corporate systems on 2 year commercial CA signed certificates and personal servers on 90 day LetsEncrypt ones - my users of IMAP and SMTP have never ever noticed when I changed the certificates on any device. They

...> ssh" (i.e. need to configure ssh or don't land on the target host >> immediately). > > Out of interest: > 1. If an extended mechanism were to be implemented, which server pubkey > do you expect to be seen/stored/verified by the client? The proxy's > / v4 middlebox's, or the v6 backend's? Or would you require that all > server-side machines use the *same* host keypairs? > 2. Are there any clients *with* v6 accessing the same backends? Via > generic v6? How is the distinction made, FQDNs given in the public > DNS with the proxy'...

On 15 January 2016 at 08:48, Alex Bligh <alex at alex.org.uk> wrote: > > The socket option is enabled *after* connection establishment, thus > > doesn't protect against SYN floods. This is because server doesn't > > know (in userspace) what the address of the peer is until they > > connect. Again because signed addresses. > So could they exchange a secret

Hi all, Link protection is a new feature we are planning to introduce to Solaris and we would like to solicit your feedback on it. Please see attached document for details.