Re: FYI: SSH1 now disabled at compile-time by default

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wednesday 01 April 2015 14:37:59 Michael Felt wrote:
> re: use of a stunnel - how does this turn 40-bit https into >40-bit https.
> Sounds like a man-in-the-middle I do not want to know about (but should
> learn about just the same - aka the sand is not so deep I can bury my head
> completely :)

Yes, it is literally a "man in the middle", the point is, that this man is 
*you*, and as such, you can trust him, at least as much as you can trust the 
server itself

It's the same way a reverse proxy turns a local HTTP server running on port 
8080 (or any other for that matter) into a proper HTTPS server.


Or in other words, it's to turn something like this:



                                               | trusted network here
  client            .-,(  ),-.    
   __  _         .-(          )-.            router             server 
  [__]|=|  ---->(    internet    )-------> __________ ------> ____   __ 
  /::/|_|  SSLv2 '-(          ).-' SSLv2   [...__...°] SSLv2 |    | |==|
                     '-.( ).-'                               |____| |  |
                                                             /::::/ |__|



into something like this:

                                               | trusted network here
  client            .-,(  ),-.                 
   __  _         .-(          )-.            router             server 
  [__]|=|  ---->(    internet    )-------> __________ ------> ____   __ 
  /::/|_| TLS1.2 '-(          ).-' TLS1.2  [...__...°] SSLv2 |    | |==|
                     '-.( ).-'                  ↑            |____| |  |
                                             stunnel         /::::/ |__|



(diagram taken from http://unix.stackexchange.com/a/126638)
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux