openSSH 5.8p2 BindPort patch

Rory McNamara pink.banana.fish at gmail.com
Fri Jul 22 02:23:01 EST 2011


My home ssh is running on port 443, well, port forwarded 443->22, but
it's the same pretty much. As far as i know, the error code is:

Error Code: 502 Proxy Error. The specified Secure Sockets Layer (SSL)
port is not allowed. ISA Server is not configured to allow SSL
requests from this port. Most Web browsers use port 443 for SSL
requests.

I can't confirm it but that sounds about right. So setting a source
port of 443, using the proxy, and a destination port of 443 gets
through, with no errors, this may not be the only source port, but
it's the only one i tried. Next time i can, i will MITM a connection
from one of the school boxes to see what the source port for that is.

On Thu, Jul 21, 2011 at 5:02 PM, Alex Bligh <alex at alex.org.uk> wrote:
>
>
> --On 20 July 2011 14:12:38 +1000 Darren Tucker <dtucker at zip.com.au> wrote:
>
>>> The proxy im trying to get through only allows ssl on ports 443 from
>>> port 443, i have no idea why,
>>
>> That sounds quite broken since TCP connections are uniquely identified
>> by the 4-tuple of source IP, source port, destination IP, destination
>> port.  If your proxy does what you describe it would limit you to only
>> one outbound SSL connection at any time and I would suspect something
>> is misconfigured.
>
> It might well be broken, but that is an argument in favour of the
> patch: getting around broken firewalls is a classic use-case for
> ssh.
>
> Rory: you might also try running ssh on port 443 somewhere outside
> the firewall; I can't believe they will filter https connections
> by source port.
>
> --
> Alex Bligh
>


More information about the openssh-unix-dev mailing list