Package: proxytunnel
Version: 1.9.0-3jim
Severity: wishlist
Tags: patch
Hi,
Based on the directions at
http://dag.wieers.com/howto/ssh-http-tunneling/
I'm using proxytunnel to connect to an Apache server and then CONNECT
to my destination host. A local firewall blocks this when
unencrypted, but allows SSL traffic through. Thus, I want to use
proxytunnel's -e option.
However, as mentioned on that page:
Tunneling to HTTPS
proxytunnel has support for SSL tunneling by using the -e
option. Unfortunately we discovered a bug in Apache that causes
CONNECT (mod_proxy) to fail when SSL is being enabled. You can find
more information in Apache's bugzilla at:
http://issues.apache.org/bugzilla/show_bug.cgi?id=29744
That bug has been open and debated for over 7 years. It's much easier
for me to workaround this bug in proxytunnel instead -- proxytunnel
just needs to stop using SSL as soon as the CONNECT string is sent.
Please consider the attached patch which adds this feature through a
new --buggy-encrypt-proxy (-B) option.
-jim
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (250, 'testing'), (200, 'stable'), (50, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.37-020637rc7-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages proxytunnel depends on:
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr
ii libmhash2 0.9.9.9-1 Library for cryptographic hashing
proxytunnel recommends no packages.
Versions of packages proxytunnel suggests:
ii ssh 1:5.5p1-5 secure shell client and server (me
-- no debconf information
diff -urN proxytunnel-old//cmdline.c proxytunnel-1.9.0//cmdline.c
--- proxytunnel-old//cmdline.c 2008-03-03 17:06:28.000000000 -0500
+++ proxytunnel-1.9.0//cmdline.c 2011-03-15 16:00:24.000000000 -0400
@@ -58,6 +58,7 @@
#ifdef USE_SSL
" -e, --encrypt SSL encrypt data between local proxy and destination\n"
" -E, --encrypt-proxy SSL encrypt data between client and local proxy\n"
+" -B, --buggy-encrypt-proxy Like --encrypt-proxy, but stop using SSL after CONNECT\n"
" -X, --encrypt-remproxy Encrypt between 1st and 2nd proxy using SSL\n"
#endif
"\n"
@@ -130,6 +131,7 @@
args_info->domain_given = 0;
args_info->encrypt_given = 0;
args_info->encryptproxy_given = 0;
+ args_info->buggyencryptproxy_given = 0;
args_info->encryptremproxy_given = 0;
args_info->proctitle_given = 0;
@@ -155,6 +157,7 @@
args_info->standalone_arg = 0; \
args_info->encrypt_flag = 0; \
args_info->encryptproxy_flag = 0; \
+ args_info->buggyencryptproxy_flag = 0; \
args_info->encryptremproxy_flag = 0; \
args_info->proctitle_arg = NULL; \
}
@@ -197,13 +200,14 @@
{ "quiet", 0, NULL, 'q' },
{ "encrypt", 0, NULL, 'e' },
{ "encrypt-proxy", 0, NULL, 'E' },
+ { "buggy-encrypt-proxy", 0, NULL, 'B' },
{ "encrypt-remproxy",0,NULL, 'X' },
{ NULL, 0, NULL, 0 }
};
- c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXq", long_options, &option_index);
+ c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEBXq", long_options, &option_index);
#else
- c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXq" );
+ c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEBXq" );
#endif
if (c == -1)
@@ -227,6 +231,12 @@
if( args_info->verbose_flag )
message("SSL client to proxy enabled\n");
break;
+
+ case 'B': /* Turn on client to proxy SSL encryption, but only until CONNECT */
+ args_info->buggyencryptproxy_flag = !(args_info->buggyencryptproxy_flag);
+ if( args_info->verbose_flag )
+ message("SSL client to proxy enabled, only until CONNECT\n");
+ break;
#endif
case 'i': /* Run from inetd. */
diff -urN proxytunnel-old//cmdline.h proxytunnel-1.9.0//cmdline.h
--- proxytunnel-old//cmdline.h 2008-02-22 16:25:02.000000000 -0500
+++ proxytunnel-1.9.0//cmdline.h 2011-03-15 16:00:24.000000000 -0400
@@ -46,6 +46,7 @@
int standalone_arg; /* Turn on stdalone (-a) on port */
int encrypt_flag; /* Turn on SSL encryption (default=off). */
int encryptproxy_flag; /* Turn on client to proxy SSL encryption (def=off).*/
+ int buggyencryptproxy_flag; /* Turn on client to proxy SSL encryption, only until CONNECT (def=off).*/
int encryptremproxy_flag; /* Turn on local to remote proxy SSL encryption (def=off).*/
char *proctitle_arg; /* Override process title (default=off). */
int help_given; /* Whether help was given. */
@@ -68,6 +69,7 @@
int quiet_given; /* Whether quiet mode was given. */
int header_given; /* Whether extra headers are given */
int encrypt_given; /* Whether encrypt was given */
+ int buggyencryptproxy_given; /* Whether encrypt was given */
int encryptproxy_given; /* Whether encrypt was given */
int encryptremproxy_given; /* Whether encrypt was given */
int proctitle_given; /* Whether to override process title */
diff -urN proxytunnel-old//debian/changelog proxytunnel-1.9.0//debian/changelog
--- proxytunnel-old//debian/changelog 2011-03-17 13:55:18.000000000 -0400
+++ proxytunnel-1.9.0//debian/changelog 2011-03-15 16:00:24.000000000 -0400
@@ -1,3 +1,11 @@
+proxytunnel (1.9.0-3jim) unstable; urgency=low
+
+ * Add patch to support buggy Apache servers via the
+ --buggy-encrypt-proxy option (for more info on the bug, see
+ https://issues.apache.org/bugzilla/show_bug.cgi?id=29744)
+
+ -- Jim Paris <[email protected]> Tue, 15 Mar 2011 15:48:19 -0400
+
proxytunnel (1.9.0-3) unstable; urgency=low
* Provide more useful error messages from GNUTLS
diff -urN proxytunnel-old//http.c proxytunnel-1.9.0//http.c
--- proxytunnel-old//http.c 2008-02-26 18:31:01.000000000 -0500
+++ proxytunnel-1.9.0//http.c 2011-03-15 16:00:24.000000000 -0400
@@ -149,6 +149,11 @@
// if( args_info.verbose_flag )
// message( "Data received from local proxy:\n");
+ if( args_info.buggyencryptproxy_flag && pts->ssl ) {
+ message( "Switching to non-SSL communication\n");
+ pts->ssl = 0;
+ }
+
/* Read the first line of the response and analyze it */
analyze_HTTP(pts);
diff -urN proxytunnel-old//proxytunnel.1 proxytunnel-1.9.0//proxytunnel.1
--- proxytunnel-old//proxytunnel.1 2011-03-17 13:55:18.000000000 -0400
+++ proxytunnel-1.9.0//proxytunnel.1 2011-03-15 16:00:24.000000000 -0400
@@ -61,6 +61,11 @@
.B \-E, \-\-encrypt-proxy
Encrypt the data between the client and the local proxy using SSL.
.TP
+.B \-B, \-\-buggy-encrypt-proxy
+Encrypt the data between the client and the local proxy using SSL,
+but stop using SSL immediately after the CONNECT exchange to workaround
+server bugs.
+.TP
.B \-X, \-\-encrypt-remproxy
Encrypt the data between the local proxy and the second-level proxy
using SSL.
diff -urN proxytunnel-old//proxytunnel.c proxytunnel-1.9.0//proxytunnel.c
--- proxytunnel-old//proxytunnel.c 2011-03-17 13:55:18.000000000 -0400
+++ proxytunnel-1.9.0//proxytunnel.c 2011-03-15 16:00:24.000000000 -0400
@@ -274,7 +274,7 @@
#ifdef USE_SSL
/* If --encrypt-proxy is specified, connect to the proxy using SSL */
- if ( args_info.encryptproxy_flag )
+ if ( args_info.encryptproxy_flag || args_info.buggyencryptproxy_flag )
stream_enable_ssl(stunnel);
#endif /* USE_SSL */
@@ -385,9 +385,10 @@
/* Only one of -E/-e/-R can be specified. */
if ((args_info.encrypt_flag ? 1 : 0) +
(args_info.encryptproxy_flag ? 1 : 0) +
+ (args_info.buggyencryptproxy_flag ? 1 : 0) +
(args_info.encryptremproxy_flag ? 1 : 0) > 1)
{
- message("Error: only one of --encrypt-proxy, --encrypt-remproxy and --encrypt can be specified for a tunnel\n");
+ message("Error: only one of --encrypt-proxy, --buggy-encrypt-proxy, --encrypt-remproxy and --encrypt can be specified for a tunnel\n");
exit( 1 );
}
@@ -410,7 +411,7 @@
/* If --encrypt-proxy is specified, connect to the proxy using SSL */
#ifdef USE_SSL
- if ( args_info.encryptproxy_flag )
+ if ( args_info.encryptproxy_flag || args_info.buggyencryptproxy_flag )
stream_enable_ssl(stunnel);
#endif /* USE_SSL */
diff -urN proxytunnel-old//README proxytunnel-1.9.0//README
--- proxytunnel-old//README 2008-03-03 17:09:28.000000000 -0500
+++ proxytunnel-1.9.0//README 2011-03-15 16:00:24.000000000 -0400
@@ -34,6 +34,7 @@
-d, --dest=STRING Destination host:port combination
-e, --encrypt SSL encrypt data between local proxy and destination
-E, --encrypt-proxy SSL encrypt data between client and local proxy
+ -B, --buggy-encrypt-proxy Like --encrypt-proxy, but stop using SSL after CONNECT
-X, --encrypt-remproxy Encrypt between 1st and 2nd proxy using SSL
Additional options for specific features:
