FYI: SSH1 now disabled at compile-time by default

Hubert Kario hkario at redhat.com
Thu Apr 2 00:05:56 AEDT 2015


On Wednesday 01 April 2015 14:37:59 Michael Felt wrote:
> re: use of a stunnel - how does this turn 40-bit https into >40-bit https.
> Sounds like a man-in-the-middle I do not want to know about (but should
> learn about just the same - aka the sand is not so deep I can bury my head
> completely :)

Yes, it is literally a "man in the middle", the point is, that this man is 
*you*, and as such, you can trust him, at least as much as you can trust the 
server itself

It's the same way a reverse proxy turns a local HTTP server running on port 
8080 (or any other for that matter) into a proper HTTPS server.


Or in other words, it's to turn something like this:



                                               | trusted network here
  client            .-,(  ),-.    
   __  _         .-(          )-.            router             server 
  [__]|=|  ---->(    internet    )-------> __________ ------> ____   __ 
  /::/|_|  SSLv2 '-(          ).-' SSLv2   [...__...°] SSLv2 |    | |==|
                     '-.( ).-'                               |____| |  |
                                                             /::::/ |__|



into something like this:

                                               | trusted network here
  client            .-,(  ),-.                 
   __  _         .-(          )-.            router             server 
  [__]|=|  ---->(    internet    )-------> __________ ------> ____   __ 
  /::/|_| TLS1.2 '-(          ).-' TLS1.2  [...__...°] SSLv2 |    | |==|
                     '-.( ).-'                  ↑            |____| |  |
                                             stunnel         /::::/ |__|



(diagram taken from http://unix.stackexchange.com/a/126638)
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150401/577ccf0c/attachment.bin>


More information about the openssh-unix-dev mailing list