BlueCoat's ProxySG is one that runs tranparent SSL protocol detection and breaks if openvpn traffic is coming in via 443. This proxy is able to pass through other non-HTTP pure SSL traffic though and not just HTTPS.
Vineet On Fri, Mar 11, 2011 at 11:58 AM, Joe Patterson <j.m.patter...@gmail.com> wrote: > Do you have a pointer to a specific SSL proxy that you're talking about? > > I have this sneaking suspicion that what you're actually referring to > is a transparent https proxy, which would most definitely *not* work, > as openvpn rides on top of ssl, but not on top of http on top of ssl. > > A good test of this would be to try something like openssl > s_client/s_server on each side of the proxy, or netcat with ssl > support and make sure that if you try and pass non-http traffic > through it, that the proxy doesn't reject or otherwise molest it. > > -Joe > > On Fri, Mar 11, 2011 at 2:09 PM, Vineet Kumar <vineet.ku...@gmail.com> wrote: >> Thanks for your replies. >> >> So, >> - without --tls-auth >> - with tcp as the transport >> if we want to make openvpn purely SSL then are these the complete set >> of things to take care of?: >> 1. Move all P_CONTROL_* messages to be encapsulated in SSL >> 2. Stop adding reliability layer over SSL >> >> Let's say, theoretically, that the above 2 steps are taken care of >> (easier said than don, for sure). Will the resulting VPN setup then >> pass through transparent SSL proxies unbroken? >> >> Thanks, >> >> Vineet >> On Fri, Mar 11, 2011 at 1:35 AM, David Sommerseth >> <openvpn.l...@topphemmelig.net> wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 11/03/11 10:04, Gert Doering wrote: >>> | Hi, >>> | >>> | On Thu, Mar 10, 2011 at 05:04:48PM -0800, Vineet Kumar wrote: >>> |> Also, doesn't this make openvpn different from other SSL VPNs which >>> |> advertise the fact that they are truly SSL? >>> | >>> | Well, OpenVPN is "truly SSL", but it's not "using https as a browser would >>> | do to hide the fact that there is a VPN inside"... >>> >>> Kind of. Gert is basically correct. But it is important to understand that >>> OpenVPN doesn't use the SSL wire protocol directly, like the majority of SSL >>> applications does. So all the SSL packets from OpenVPN are encapsulated in >>> a >>> kind of OpenVPN container. Which is why some strict proxies or deep packet >>> inspection firewalls might not allow OpenVPN traffic. >>> >>> The reason for this is that OpenVPN is primarily written for the UDP >>> protocol. >>> ~ While SSL itself is very TCP oriented. To my knowledge, there are no UDP >>> transport support in OpenSSL. So OpenVPN uses OpenSSL differently, >>> intercepting the network connections and sending the data through OpenVPN's >>> own network socket infrastructure. If OpenVPN's HMAC support (--tls-auth) >>> is >>> enabled, some extra bytes are added on top of the SSL packet itself. >>> >>> Of course, it would probably be possible (I have not investigated this) to >>> add >>> a feature which restricts OpenVPN to use the core SSL protocol, without >>> this >>> encapsulation on top of the SSL packets. However, when such a feature is >>> enabled, it would restrict the usage of TCP. In addition, the --tls-auth >>> feature would not be useful in at all. >>> >>> >>> kind regards, >>> >>> David Sommerseth >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.10 (GNU/Linux) >>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ >>> >>> iEYEARECAAYFAk157MQACgkQDC186MBRfrqQdgCdGKarB9OcdlKSQaTxLXZIZnou >>> qmoAn0G/9cfGHx6+NeWk2v0agOjRJCI9 >>> =SOiC >>> -----END PGP SIGNATURE----- >>> >> >> ------------------------------------------------------------------------------ >> Colocation vs. Managed Hosting >> A question and answer guide to determining the best fit >> for your organization - today and in the future. >> http://p.sf.net/sfu/internap-sfd2d >> _______________________________________________ >> Openvpn-devel mailing list >> Openvpn-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/openvpn-devel >> > > ------------------------------------------------------------------------------ > Colocation vs. Managed Hosting > A question and answer guide to determining the best fit > for your organization - today and in the future. > http://p.sf.net/sfu/internap-sfd2d > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
