Adding SNI support to SSH

Nico Schottelius nico.schottelius at
Tue Jan 14 08:27:26 AEDT 2020

Ciao Luca,

Luca Filipozzi <lfilipoz at> writes:
>> [ ... ]
> Neat. I do something similar: in order to circumvent obnoxious airport /
> coffee shop firewalls that block non-HTTPS traffic, I configured haproxy
> to offer 'SSH over HTTPS'.  haproxy terminates the HTTPS connection
> (which is SNI-aware) while sshd on the target machine terminates the
> tunneled SSH connection.
> In ssh_config, I use ProxyCommand to invoke gnutls-client to create the
> HTTPS connection.

Quite nice as well!

> You've indicated that you don't want to compel your users to make
> significant changes to ssh_config, but others in this thread have noted
> that an SNI option for OpenSSH will take some time to propagate from
> ideation through development through widespread* deployment

I perfectly understand that. At the moment we give out a wireguard
IPv6 VPN for free to all users, which also has the nice side effect of
giving anyone anywhere (even behind cgnat) IPv6 connectivity.

Surprisingly adding a totally new program with totally different
characteristics so far turned out to be easier than having users edit
their ssh config.

> Would this SSH-over-HTTPS option be worth considering for your use case
> while the SNI-aware OpenSSH gets more backers? (I think I might be one,
> now. You may wish to ask for Proxy-Protocol support, also.)
> * sufficiently widespread that your users can get packages from distros

I might have mixed up two cases in my previous mails a bit, which share
a lot properties:

a) enabling IPv4 to IPv6 users
b) enabling load balancing for multi clusters

The (b) case has 1 name per cluster, each serving multiple nodes behind
the name. (b) is currently solved using round robin DNS with a 60s
timeout. And yes, indeed all those nodes have the same host keys and
it needs 1 public IPv4 address per cluster.

Both cases would significantly profit from an ability of dispatching by
name or intent, not only for us, but also other organisations we work

So I am fine with taking some time to find a good solution that can be
agreed on and waiting for all the ripple effects, because I literally
see the potential of making life easier for thousands of people.

Best regards,


Modern, affordable, Swiss Virtual Machines. Visit

More information about the openssh-unix-dev mailing list