[sslh] sslh 1.6i-4 / Don't work over wan, but ok in lan !
Yves Rutschle
yves at naryves.com
Sat Jan 15 21:02:36 CET 2011
On Sat, Jan 15, 2011 at 06:45:40PM +0100, diffusion at bulot-fr.com wrote:
> >New theory: the ssh client you use on your phone is strange.
> >(as in, does not wait for the server banner to arrive before
> >starting protocol negociation).
>
> It's a good idea, I couldn't change anythings about it ... or in long,
> long time .... :-D
> >- Can you provide a tcpdump trace of an ssh connection:
> > tcpdump -X -s 0 port 443
> Yes, in private.
Thanks for traces -- that confirms my theory: the first
three packets are TCP connection opening (syn - syn/ack -
ack), then a normal ssh client waits for the ssh server
banner (e.g. SSH-2.0-OpenSSH_5.5p1.Debian-4ubuntu4), while
ConnectBot starts speaking first, which confuses sslh (as
sslh relies on the client not speaking to differentiate ssl
from ssh).
I guess ConnectBot hopes to save some latency by violating
the protocol. It'd be useful to report a bug though, you
should have at least the option to run the client under
fully compliant mode.
Looking at the traces, I reckon the heuristic to
differenciate ssl from ssh can be improved in sslh -- I'll
look into it tomorrow (you'll need to recompile, though).
> From my work, i could retry, with the tcpdump syntax below.
> but it's the same result : no connection, but there's a proxy with
> authentification and filter (see 'kwartz' on the web)
Which client are you using in that case? Maybe the proxy
makes a difference too...
Y.
More information about the sslh
mailing list