External SSL termination

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

23 ????. 2014 ?., ? 13:08, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> ???????(?):

> On Tue, Sep 23, 2014 at 8:42 AM, Alexander Rumyantsev
> <alexander at rumyantsev.com> wrote:
>> Hi!
>> I have ocserv running on RHEL 6.5 and openconnect on OS X 10.9+macports
>> Recently I decided to hide ocserv behind haproxy to separate anyconnect connections from browser connections by User-Agent header.
>> But i couldn't establish connection due to following error: "SSL connection failure: curve not supported"
>> I think that's because of RHEL ships with hobbled OpenSSL (against of which haproxy was built) with very limited elliptic curves support due to RH Legal patent fears.
>> Don't even know how to deal with this, or even it worth of dealing.
> 
> Note that there is also sniproxy, which does not terminate but
> forwards correctly the SSL sessions based on the server name present
> on client hello.
> 
>> P.S. I think the mode of external ssl termination with unix socket support will be very useful in ocserv.
> 
> Do you have some more information on that? Is there a known "protocol"
> to forward SSL connections to another process which listens to unix
> sockets? It would be even more interesting if there was not any
> termination at all and the SSL session was forwarded as is (e.g., via
> file descriptor passing).

I mean pure external SSL termination. I understand, that it limits functionality of ocserv, but in some cases it seems useful to me.
That?s how I see this: openconnect establishes ssl-session with haproxy, which, in its order, establishes pure http session without SSL/TLS with ocserv as a backend through unix socket.

Once again, I want to share IP-address and standard 443 port between ocserv and http-server, using User-Agent http header as a distinguisher.
By now, if haproxy determines OpenConnect/AnyConnect client, it makes an SSL connection to backend, ocserv. It works, but I think it?s a useless CPU overhead in my case.
In case of browser connection, haproxy establishes http session with nginx by unix socket, acting as SSL terminator for http-server.

Haproxy, in TCP mode, of course, can forward SSL session, but in this case I cannot route requests to different backends based on HTTP information.

> 
> regards,
> Nikos
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux