Do you have a pointer to a specific SSL proxy that you're talking about? I have this sneaking suspicion that what you're actually referring to is a transparent https proxy, which would most definitely *not* work, as openvpn rides on top of ssl, but not on top of http on top of ssl.
A good test of this would be to try something like openssl s_client/s_server on each side of the proxy, or netcat with ssl support and make sure that if you try and pass non-http traffic through it, that the proxy doesn't reject or otherwise molest it. -Joe On Fri, Mar 11, 2011 at 2:09 PM, Vineet Kumar <vineet.ku...@gmail.com> wrote: > Thanks for your replies. > > So, > - without --tls-auth > - with tcp as the transport > if we want to make openvpn purely SSL then are these the complete set > of things to take care of?: > 1. Move all P_CONTROL_* messages to be encapsulated in SSL > 2. Stop adding reliability layer over SSL > > Let's say, theoretically, that the above 2 steps are taken care of > (easier said than don, for sure). Will the resulting VPN setup then > pass through transparent SSL proxies unbroken? > > Thanks, > > Vineet > On Fri, Mar 11, 2011 at 1:35 AM, David Sommerseth > <openvpn.l...@topphemmelig.net> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 11/03/11 10:04, Gert Doering wrote: >> | Hi, >> | >> | On Thu, Mar 10, 2011 at 05:04:48PM -0800, Vineet Kumar wrote: >> |> Also, doesn't this make openvpn different from other SSL VPNs which >> |> advertise the fact that they are truly SSL? >> | >> | Well, OpenVPN is "truly SSL", but it's not "using https as a browser would >> | do to hide the fact that there is a VPN inside"... >> >> Kind of. Gert is basically correct. But it is important to understand that >> OpenVPN doesn't use the SSL wire protocol directly, like the majority of SSL >> applications does. So all the SSL packets from OpenVPN are encapsulated in >> a >> kind of OpenVPN container. Which is why some strict proxies or deep packet >> inspection firewalls might not allow OpenVPN traffic. >> >> The reason for this is that OpenVPN is primarily written for the UDP >> protocol. >> ~ While SSL itself is very TCP oriented. To my knowledge, there are no UDP >> transport support in OpenSSL. So OpenVPN uses OpenSSL differently, >> intercepting the network connections and sending the data through OpenVPN's >> own network socket infrastructure. If OpenVPN's HMAC support (--tls-auth) >> is >> enabled, some extra bytes are added on top of the SSL packet itself. >> >> Of course, it would probably be possible (I have not investigated this) to >> add >> a feature which restricts OpenVPN to use the core SSL protocol, without >> this >> encapsulation on top of the SSL packets. However, when such a feature is >> enabled, it would restrict the usage of TCP. In addition, the --tls-auth >> feature would not be useful in at all. >> >> >> kind regards, >> >> David Sommerseth >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.10 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ >> >> iEYEARECAAYFAk157MQACgkQDC186MBRfrqQdgCdGKarB9OcdlKSQaTxLXZIZnou >> qmoAn0G/9cfGHx6+NeWk2v0agOjRJCI9 >> =SOiC >> -----END PGP SIGNATURE----- >> > > ------------------------------------------------------------------------------ > Colocation vs. Managed Hosting > A question and answer guide to determining the best fit > for your organization - today and in the future. > http://p.sf.net/sfu/internap-sfd2d > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
