similar to: Adding SNI support to SSH

Displaying 20 results from an estimated 3000 matches similar to: "Adding SNI support to SSH"

2020 Jan 13
3
Adding SNI support to SSH
Ciao Luca, Luca Filipozzi <lfilipoz at emyr.net> writes: >> [ ... ] > Neat. I do something similar: in order to circumvent obnoxious airport / > coffee shop firewalls that block non-HTTPS traffic, I configured haproxy > to offer 'SSH over HTTPS'. haproxy terminates the HTTPS connection > (which is SNI-aware) while sshd on the target machine terminates the >
2020 Jan 13
2
Adding SNI support to SSH
Hey Jochen, Jochen Bern <Jochen.Bern at binect.de> writes: > On 01/13/2020 11:10 AM, Nico Schottelius wrote: >> The problem I am trying to solve is: there are thousands of users on >> IPv4 only networks who I cannot all communicate with. And they need to >> access resources on IPv6 only systems. >> >> The typical jump host / proxy command approach surely
2020 Jan 13
4
Adding SNI support to SSH
Christian Weisgerber <naddy at mips.inka.de> writes: > On 2020-01-12, Dustin Lundquist <dustin at null-ptr.net> wrote: > >> I think the intended application is to proxy through a proxy host provided by the service provider. If SSH had a SNI like feature where a host identifier was passed in plain text during the initial connection. This way the user would just need to
2020 Jan 12
3
Adding SNI support to SSH
Hey Thorsten, Thorsten Glaser <t.glaser at tarent.de> writes: > On Sun, 12 Jan 2020, Nico Schottelius wrote: > >> I was wondering what you think about SNI (server name indication) >> support to OpenSSH? > > Oh, please absolutely not. SNI is a privacy violation in HTTP, and > otherwise just a poor excuse to continue running NAT and/or IPv4. you might have
2020 Jan 13
3
Adding SNI support to SSH
Hi, On Mon, Jan 13, 2020 at 03:16:00PM +0000, Jochen Bern wrote: > Out of interest: > 1. If an extended mechanism were to be implemented, which server pubkey > do you expect to be seen/stored/verified by the client? The proxy's > / v4 middlebox's, or the v6 backend's? Or would you require that all > server-side machines use the *same* host keypairs? I'd do
2020 Jan 12
2
Adding SNI support to SSH
> Have you ever considered using ssh's proxy-command for this? > I have a similar setup, works great for me. I think the intended application is to proxy through a proxy host provided by the service provider. If SSH had a SNI like feature where a host identifier was passed in plain text during the initial connection. This way the user would just need to register their host identifier
2016 Oct 17
2
logging TLS SNI hostname
> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >> Is there a way to log SNI hostname used in TLS session? Info is there in >> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >> ssl_io->host. >> >> Unfortunately I don't see it expanded to any
2016 Oct 20
2
logging TLS SNI hostname
On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: > On Monday 17 of October 2016, KT Walrus wrote: >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: >>> >>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >>>> Is there a way to log SNI hostname used in TLS session? Info is there in >>>>
2016 Oct 20
2
logging TLS SNI hostname
On 20.10.2016 15:41, Arkadiusz Mi?kiewicz wrote: > On Thursday 20 of October 2016, Aki Tuomi wrote: >> On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: >>> On Monday 17 of October 2016, KT Walrus wrote: >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> >>>>> wrote: >>>>> >>>>> On Monday 30
2016 May 30
2
logging TLS SNI hostname
Is there a way to log SNI hostname used in TLS session? Info is there in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to ssl_io->host. Unfortunately I don't see it expanded to any variables ( http://wiki.dovecot.org/Variables ). Please consider this to be a feature request. The goal is to be able to see which hostname client used like: May 30 08:21:19 xxx dovecot:
2013 May 17
3
client connection errors: SSL, SNI and DNS_ALT_NAMES Oh My
Hi All, I''ve run into a bit of a tangle. I currently have two puppet masters which are "load balanced" with round robin DNS (one is also the CA). I''m using dns_alt_names to let them each answer to puppet.my.domain.com For the past year this has been fine. About a week ago I tried to add a third & while all my Linux clients are happy with the new arrangement,
2020 Jan 20
4
Security implications of using ControlMaster
Dear Mailing List We are using a ControlMaster with a short ControlPersist to access the bastion host which then gives access to customer hosts. Our Information Security Manager would like to disallow the ControlMaster. His attack scenario is an admin workstation with a compromised root account. An attacker can then use the ControlMaster to trivially get shell access on the bastion host
2013 Apr 03
2
Proxying, pertinent values and features, SNI
Hello, I'm looking into deploying dovecot as a proxy, currently using perdition. Have been using dovecot on the actual servers for years, nearly a decade. So far just 1.x, but for the proxy it will have to be 2.x (2.1.7 is the current Debian version), as the trigger for this change is the need to support multiple SSL certificates. All that happens on the proxy seems to be handled by the
2019 Dec 06
2
client to support SNI
Hi. Looks like every ~2 Years raises someone the question about SNI support in the openssh client. 2015: https://marc.info/?l=openssh-unix-dev&m=143248436518985&w=2 2017: https://marc.info/?l=openssh-unix-dev&m=150204655205911&w=2 I have read the docs and haven't seen anything about that this feature is already available in SSH. https://man.openbsd.org/ssh.1
2016 Nov 10
4
lazy-load SNI?
Hello, We?re rolling out large SNI deployments for our mail servers. Each domain gets an entry like this in the config: local_name mail.foo.com { ssl_cert = </ssl/domain_tls/*.foo.com/combined ssl_key = </ssl/domain_tls/*.foo.com/combined } There are a couple problems we?re finding with this approach: 1) Dovecot wants to load everything at once, which has some machines taking
2019 Sep 13
2
Multiple certificate option SNI
Hi I have some problem with SNI and dovecot 2.2.36.4 Server debian 9.x ad dovecot-2.2.36.4 default server ssl cert is a wildcard like *.domain.com (digicert) ssl_ca = /var/control/cert.pem ssl_cert = </var/control/cert.pem I added for test another domain (in dns to) for another ssl (letsencrypt) from https://wiki.dovecot.org/SSL/DovecotConfiguration like: local_name
2009 Apr 13
4
httpd with SNI
Hi! I am currently publishing some web services on a Centos 5.3 server on my office using the included apache httpd. They are available from the Internet, and they require validation (username/password). I would like to publish them all under https, so the passwords won't travel unencrypted, but then all my sites use the same certificate on apache httpd. The solution to this is using an
2018 Aug 29
3
SNI Dovecot
Hi all, I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains. I'm using letsencrypt certificates. On the 10-ssl.conf, when I only use one domain, like this, it works : ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key =
2016 Nov 11
1
lazy-load SNI?
> On November 11, 2016 at 12:22 PM Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > > On Friday 11 of November 2016, Felipe Gasper wrote: > > Hello, > > > > We?re rolling out large SNI deployments for our mail servers. Each domain > > gets an entry like this in the config: > > > > local_name mail.foo.com { > > ssl_cert =
2016 Nov 11
2
lazy-load SNI?
>>> >>> Great! Seems to be working fine for my usage and makes my configs 50% >>> smaller (which is gigantic improvement). Will do more testing though. >>> >>> Thanks! >>> >>> A little bit offtopic, but what is the point of using imap/pop SNI? All clients want to connect to their own domain or what? -- Kaspars