© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
Found it.
Actually it was due to both a pecularity in the proxy server I wanted to get through, and a bug in how proxytunnel sets SNI.
It seems that our proxy server ignores SNI in SSLv3, but considers it in TLSv1.
And proxytunnel sets the wrong SNI.
proxytunnel ---> proxy1 (the one I want to get through) ---> proxy2 (my Apache) ---> ssh.
After sending CONNECT proxy2:443 to the proxy1 (in order to be connected through to proxy2), it starts negotiating the SSL session with proxy2. It would be logical to base that negotiation on the host name of proxy2. However, proxytunnel mistakenly includes proxy1 as the SNI in that negotiation.
With the result that the "evil" proxy1, which snoops at the initial part of the negotiation (which is still clear-text...), sees that SNI, then ignores the host that it got in the CONNECT header, and instead attempts to connect to the host that it saw in the SNI, which would be itself (proxy1 instead of proxy2).
In my case, just dropping the SNI setting code in stream_enable_ssl in pstream.c fixed the issue.