[PATCH] Make proxy CONNECT work again - Take 1

[Martin Kraemer <Ma...@mch.sni.de>]

Proxy CONNECT broke a while ago (and nobody even noticed?!?).

Here's a preliminary patch to make it work again (line numbers will be
off by a few lines, but should otherwise patch cleanly).

How about it?   (the redundant r->method_number detection should be
cleaned up, of course).

    Martin
-- 
| S I E M E N S |  <Ma...@mch.sni.de>  |      Siemens Nixdorf
| ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
| N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request

Re: [PATCH] Make proxy CONNECT work again - Take 1

[Chuck Murcko <ch...@topsail.org>]

Marc Slemko wrote:
> 
> On Mon, 30 Mar 1998, Martin Kraemer wrote:
> 
> >     ...edited
> >
> > The apache in question has no idea what the SSL deal is all about,
> > it simply connects to (in my situation: the upstream firewall
> > proxy on port 80, else: ) the requested server on the requested
> > port.
> >
> 
> Except it is damn obvious that it is designed for SSL because it says it
> is for SSL, the standard says it is for SSL, and it only allows it on SSL
> (well, SSL NNTP or SSL) ports.
> 
> I think this is probably in violation of US export regulations.

No, it's perfectly exportable. The CONNECT mode proxy knows nothings
about the data stream, except the ports (recommended in Lutonen's draft
RFC) and that it moves data. No knowledge at all in there about anything
else. It's about as transparent as proxies get.
-- 
chuck
Chuck Murcko            The Topsail Group             West Chester PA
USA
chuck@topsail.org

Re: [PATCH] Make proxy CONNECT work again - Take 1

[Chuck Murcko <ch...@topsail.org>]

Marc Slemko wrote:
> 
> On Mon, 30 Mar 1998, Martin Kraemer wrote:
> 
> >
> >     ...edited
> >
> > The apache in question has no idea what the SSL deal is all about,
> > it simply connects to (in my situation: the upstream firewall
> > proxy on port 80, else: ) the requested server on the requested
> > port.
> >
> 
> Except it is damn obvious that it is designed for SSL because it says it
> is for SSL, the standard says it is for SSL, and it only allows it on SSL
> (well, SSL NNTP or SSL) ports.
> 
> I think this is probably in violation of US export regulations.

No, the CONNECT mode proxy is about as transparent as a proxy gets. It
knows nothing about the data. It only even knows the port numbers
because it is recommended in Lutonen's draft RFC that they get checked.
Other than that, it knows a few proxy directives, and that's it. It's
eminently exportable.
-- 
chuck
Chuck Murcko            The Topsail Group             West Chester PA
USA
chuck@topsail.org

Re: [PATCH] Make proxy CONNECT work again - Take 1

[Marc Slemko <ma...@worldgate.com>]

On Mon, 30 Mar 1998, Martin Kraemer wrote:

> On Sun, Mar 29, 1998 at 12:54:58AM -0800, Dean Gaudet wrote:
> > > Proxy CONNECT broke a while ago (and nobody even noticed?!?).
> > 
> > Well I can't work on CONNECT, can I?  That's ssl crap isn't it?  :) 
> 
> No and yes. When I have a client in the inTRAnet and want to get out
> to a server in the inTERnet, connecting to, say,
> 
>     https://banking.bank24.de/
> 
> then the client will use whatever "security proxy" is configured (say:
> an apache-1.3b6 with proxy feature enabled) and issue a request...
> 
>     CONNECT banking.bank24.de:443 HTTP/1.0
> 
> The apache in question has no idea what the SSL deal is all about,
> it simply connects to (in my situation: the upstream firewall
> proxy on port 80, else: ) the requested server on the requested
> port.
> 

Except it is damn obvious that it is designed for SSL because it says it
is for SSL, the standard says it is for SSL, and it only allows it on SSL
(well, SSL NNTP or SSL) ports.

I think this is probably in violation of US export regulations.  

Re: [PATCH] Make proxy CONNECT work again - Take 1

[Martin Kraemer <Ma...@mch.sni.de>]

On Sun, Mar 29, 1998 at 12:54:58AM -0800, Dean Gaudet wrote:
> > Proxy CONNECT broke a while ago (and nobody even noticed?!?).
> 
> Well I can't work on CONNECT, can I?  That's ssl crap isn't it?  :) 

No and yes. When I have a client in the inTRAnet and want to get out
to a server in the inTERnet, connecting to, say,

    https://banking.bank24.de/

then the client will use whatever "security proxy" is configured (say:
an apache-1.3b6 with proxy feature enabled) and issue a request...

    CONNECT banking.bank24.de:443 HTTP/1.0

The apache in question has no idea what the SSL deal is all about,
it simply connects to (in my situation: the upstream firewall
proxy on port 80, else: ) the requested server on the requested
port.

     Martin
-- 
| S I E M E N S |  <Ma...@mch.sni.de>  |      Siemens Nixdorf
| ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
| N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request

Re: [PATCH] Make proxy CONNECT work again - Take 1

[Dean Gaudet <dg...@arctic.org>]

On Sat, 28 Mar 1998, Martin Kraemer wrote:

> Proxy CONNECT broke a while ago (and nobody even noticed?!?).

Well I can't work on CONNECT, can I?  That's ssl crap isn't it?  :) 

> Here's a preliminary patch to make it work again (line numbers will be
> off by a few lines, but should otherwise patch cleanly).
> 
> How about it?   (the redundant r->method_number detection should be
> cleaned up, of course).

You know, I think it's just pure chance this ever worked.  But then,
that's how the proxy is I suppose :)  But yeah clean up the
r->method_number thing and commit it. 

Dean