Adding SNI support to SSH

Nico Schottelius nico.schottelius at ungleich.ch
Sun Jan 12 23:54:56 AEDT 2020


Good morning,

I was wondering what you think about SNI (server name indication)
support to OpenSSH?

Background: SSH is one of the rare protocols in the data center that
cannot be easily load balanced, proxied or made highly available.

If the ssh client would indicate to which host it wants to connect to, a
proxy or load balancer could easily be implemented.

While this is an obvious feature for load balancing, I have another use
case that is very important: bridging the IPv4 to the IPv6 world (see
also [0]).

With IPv4 having run out in many places, it is often necessary to
multiplex a public IPv4 address for multiple IPv6 end hosts, to help
them being reachable from the IPv4 world.

With all the TLS based protocols (including https, imaps) this is easily
possible. SSH is an exception here and makes it hard to implement a
generic way of enabling IPv6 only systems to be reachable from the IPv4
world.

My suggestion would be as follows:

- change the ssh client to add a header/packet at the start of the
  connection that says "I want to connect to X", X being whatever is
  passed into the commandline (IPv6 address, IPv4 address, domain name).

- either not modifying the server OR
- adding a variable into the server that lets one match on the client
  provided value

I am aware that one can used different ports for multiplexing and also
that SNI is not secure, as it is client provided. However the latter is
not a problem, as security always needs to be ensured on the server
side.

I am looking forward to hearing your opinion. If this is something that
would be accepted upstream, I could come up with a patch it.

Best regards,

Nico

[0] https://ungleich.ch/de/cms/ungleich-blog/2018/09/20/how-to-break-ipv4-https/

--
Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch


More information about the openssh-unix-dev mailing list