Adding SNI support to SSH

Luca Filipozzi lfilipoz at
Tue Jan 14 05:23:05 AEDT 2020

On Mon, Jan 13, 2020 at 05:14:02PM +0100, Nico Schottelius wrote:
> p.s.: HAProxy, which we use, can even forward the original client IP to
> the end host using the "proxy protocol".
> pps: The whole haproxy configuration for it looks as following. It
> supports smtps, imaps. https and http at the moment.
> # ipv4 https frontend
> frontend httpsipv4
>     bind ipv4@:443
>     mode tcp
>     option tcplog
>     tcp-request inspect-delay 5s
>     tcp-request content accept if { req_ssl_hello_type 1 }
>     default_backend httpsipv4
> backend httpsipv4
>     mode tcp
>     use-server if { req_ssl_sni -i }
>     server ipv6 at
>     ...

Neat. I do something similar: in order to circumvent obnoxious airport /
coffee shop firewalls that block non-HTTPS traffic, I configured haproxy
to offer 'SSH over HTTPS'.  haproxy terminates the HTTPS connection
(which is SNI-aware) while sshd on the target machine terminates the
tunneled SSH connection.

In ssh_config, I use ProxyCommand to invoke gnutls-client to create the
HTTPS connection.

You've indicated that you don't want to compel your users to make
significant changes to ssh_config, but others in this thread have noted
that an SNI option for OpenSSH will take some time to propagate from
ideation through development through widespread* deployment

Would this SSH-over-HTTPS option be worth considering for your use case
while the SNI-aware OpenSSH gets more backers? (I think I might be one,
now. You may wish to ask for Proxy-Protocol support, also.)

* sufficiently widespread that your users can get packages from distros

Luca Filipozzi

More information about the openssh-unix-dev mailing list