similar to: Adding SNI support to SSH

Ciao Luca, Luca Filipozzi <lfilipoz at emyr.net> writes: >> [ ... ] > Neat. I do something similar: in order to circumvent obnoxious airport / > coffee shop firewalls that block non-HTTPS traffic, I configured haproxy > to offer 'SSH over HTTPS'. haproxy terminates the HTTPS connection > (which is SNI-aware) while sshd on the target machine terminates the >

Hey Jochen, Jochen Bern <Jochen.Bern at binect.de> writes: > On 01/13/2020 11:10 AM, Nico Schottelius wrote: >> The problem I am trying to solve is: there are thousands of users on >> IPv4 only networks who I cannot all communicate with. And they need to >> access resources on IPv6 only systems. >> >> The typical jump host / proxy command approach surely

Christian Weisgerber <naddy at mips.inka.de> writes: > On 2020-01-12, Dustin Lundquist <dustin at null-ptr.net> wrote: > >> I think the intended application is to proxy through a proxy host provided by the service provider. If SSH had a SNI like feature where a host identifier was passed in plain text during the initial connection. This way the user would just need to

Hey Thorsten, Thorsten Glaser <t.glaser at tarent.de> writes: > On Sun, 12 Jan 2020, Nico Schottelius wrote: > >> I was wondering what you think about SNI (server name indication) >> support to OpenSSH? > > Oh, please absolutely not. SNI is a privacy violation in HTTP, and > otherwise just a poor excuse to continue running NAT and/or IPv4. you might have

Hi, On Mon, Jan 13, 2020 at 03:16:00PM +0000, Jochen Bern wrote: > Out of interest: > 1. If an extended mechanism were to be implemented, which server pubkey > do you expect to be seen/stored/verified by the client? The proxy's > / v4 middlebox's, or the v6 backend's? Or would you require that all > server-side machines use the *same* host keypairs? I'd do

> Have you ever considered using ssh's proxy-command for this? > I have a similar setup, works great for me. I think the intended application is to proxy through a proxy host provided by the service provider. If SSH had a SNI like feature where a host identifier was passed in plain text during the initial connection. This way the user would just need to register their host identifier

> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >> Is there a way to log SNI hostname used in TLS session? Info is there in >> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >> ssl_io->host. >> >> Unfortunately I don't see it expanded to any

On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: > On Monday 17 of October 2016, KT Walrus wrote: >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: >>> >>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >>>> Is there a way to log SNI hostname used in TLS session? Info is there in >>>>

On 20.10.2016 15:41, Arkadiusz Mi?kiewicz wrote: > On Thursday 20 of October 2016, Aki Tuomi wrote: >> On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: >>> On Monday 17 of October 2016, KT Walrus wrote: >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> >>>>> wrote: >>>>> >>>>> On Monday 30

Is there a way to log SNI hostname used in TLS session? Info is there in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to ssl_io->host. Unfortunately I don't see it expanded to any variables ( http://wiki.dovecot.org/Variables ). Please consider this to be a feature request. The goal is to be able to see which hostname client used like: May 30 08:21:19 xxx dovecot:

Hi All, I''ve run into a bit of a tangle. I currently have two puppet masters which are "load balanced" with round robin DNS (one is also the CA). I''m using dns_alt_names to let them each answer to puppet.my.domain.com For the past year this has been fine. About a week ago I tried to add a third & while all my Linux clients are happy with the new arrangement,

Dear Mailing List We are using a ControlMaster with a short ControlPersist to access the bastion host which then gives access to customer hosts. Our Information Security Manager would like to disallow the ControlMaster. His attack scenario is an admin workstation with a compromised root account. An attacker can then use the ControlMaster to trivially get shell access on the bastion host

Hello, I'm looking into deploying dovecot as a proxy, currently using perdition. Have been using dovecot on the actual servers for years, nearly a decade. So far just 1.x, but for the proxy it will have to be 2.x (2.1.7 is the current Debian version), as the trigger for this change is the need to support multiple SSL certificates. All that happens on the proxy seems to be handled by the

Hi. Looks like every ~2 Years raises someone the question about SNI support in the openssh client. 2015: https://marc.info/?l=openssh-unix-dev&m=143248436518985&w=2 2017: https://marc.info/?l=openssh-unix-dev&m=150204655205911&w=2 I have read the docs and haven't seen anything about that this feature is already available in SSH. https://man.openbsd.org/ssh.1

Hello, We?re rolling out large SNI deployments for our mail servers. Each domain gets an entry like this in the config: local_name mail.foo.com { ssl_cert = </ssl/domain_tls/*.foo.com/combined ssl_key = </ssl/domain_tls/*.foo.com/combined } There are a couple problems we?re finding with this approach: 1) Dovecot wants to load everything at once, which has some machines taking

Hi I have some problem with SNI and dovecot 2.2.36.4 Server debian 9.x ad dovecot-2.2.36.4 default server ssl cert is a wildcard like *.domain.com (digicert) ssl_ca = /var/control/cert.pem ssl_cert = </var/control/cert.pem I added for test another domain (in dns to) for another ssl (letsencrypt) from https://wiki.dovecot.org/SSL/DovecotConfiguration like: local_name

Hi! I am currently publishing some web services on a Centos 5.3 server on my office using the included apache httpd. They are available from the Internet, and they require validation (username/password). I would like to publish them all under https, so the passwords won't travel unencrypted, but then all my sites use the same certificate on apache httpd. The solution to this is using an

Hi all, I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains. I'm using letsencrypt certificates. On the 10-ssl.conf, when I only use one domain, like this, it works : ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key =

> On November 11, 2016 at 12:22 PM Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > > On Friday 11 of November 2016, Felipe Gasper wrote: > > Hello, > > > > We?re rolling out large SNI deployments for our mail servers. Each domain > > gets an entry like this in the config: > > > > local_name mail.foo.com { > > ssl_cert =

>>> >>> Great! Seems to be working fine for my usage and makes my configs 50% >>> smaller (which is gigantic improvement). Will do more testing though. >>> >>> Thanks! >>> >>> A little bit offtopic, but what is the point of using imap/pop SNI? All clients want to connect to their own domain or what? -- Kaspars