Ok - thanks. stunnel is something 'useful' to study. Hopefully I will not have to hit my head against the wall too often. That said - is there (an official) way to disable ssh1 in the server (e.g., --without-ssh1 Disable support for SSH protocol 1) but keep support in the client? That is how I would like to package it as of today. And I expect, (read hope) that even though support is compiled in, I could still disable it - by default - in the client via ssh_config. Michael p.s. Hubert - my apologies for the double send, forgot reply-to-all. On Wed, Apr 1, 2015 at 3:05 PM, Hubert Kario <hkario@xxxxxxxxxx> wrote: > On Wednesday 01 April 2015 14:37:59 Michael Felt wrote: > > re: use of a stunnel - how does this turn 40-bit https into >40-bit > https. > > Sounds like a man-in-the-middle I do not want to know about (but should > > learn about just the same - aka the sand is not so deep I can bury my > head > > completely :) > > Yes, it is literally a "man in the middle", the point is, that this man is > *you*, and as such, you can trust him, at least as much as you can trust > the > server itself > > It's the same way a reverse proxy turns a local HTTP server running on port > 8080 (or any other for that matter) into a proper HTTPS server. > > > Or in other words, it's to turn something like this: > > > > | trusted network here > client .-,( ),-. > __ _ .-( )-. router server > [__]|=| ---->( internet )-------> __________ ------> ____ __ > /::/|_| SSLv2 '-( ).-' SSLv2 [...__...°] SSLv2 | | |==| > '-.( ).-' |____| | | > /::::/ |__| > > > > into something like this: > > | trusted network here > client .-,( ),-. > __ _ .-( )-. router server > [__]|=| ---->( internet )-------> __________ ------> ____ __ > /::/|_| TLS1.2 '-( ).-' TLS1.2 [...__...°] SSLv2 | | |==| > '-.( ).-' ↑ |____| | | > stunnel /::::/ |__| > > > > (diagram taken from http://unix.stackexchange.com/a/126638) > -- > Regards, > Hubert Kario > Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev