FYI: SSH1 now disabled at compile-time by default
Hubert Kario
hkario at redhat.com
Thu Apr 2 00:05:56 AEDT 2015
On Wednesday 01 April 2015 14:37:59 Michael Felt wrote:
> re: use of a stunnel - how does this turn 40-bit https into >40-bit https.
> Sounds like a man-in-the-middle I do not want to know about (but should
> learn about just the same - aka the sand is not so deep I can bury my head
> completely :)
Yes, it is literally a "man in the middle", the point is, that this man is
*you*, and as such, you can trust him, at least as much as you can trust the
server itself
It's the same way a reverse proxy turns a local HTTP server running on port
8080 (or any other for that matter) into a proper HTTPS server.
Or in other words, it's to turn something like this:
| trusted network here
client .-,( ),-.
__ _ .-( )-. router server
[__]|=| ---->( internet )-------> __________ ------> ____ __
/::/|_| SSLv2 '-( ).-' SSLv2 [...__...°] SSLv2 | | |==|
'-.( ).-' |____| | |
/::::/ |__|
into something like this:
| trusted network here
client .-,( ),-.
__ _ .-( )-. router server
[__]|=| ---->( internet )-------> __________ ------> ____ __
/::/|_| TLS1.2 '-( ).-' TLS1.2 [...__...°] SSLv2 | | |==|
'-.( ).-' ↑ |____| | |
stunnel /::::/ |__|
(diagram taken from http://unix.stackexchange.com/a/126638)
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150401/577ccf0c/attachment.bin>
More information about the openssh-unix-dev
mailing list