[sslh] adding proxying capability for tor

[Yves Rutschle]

Hi all,

> On 30 April 2012 09:39, Walter Haidinger <walter.haidinger at gmx.at> wrote:
> > However, given that the recommended ports for tor relays are 80
> > and 443 (which are least likely to be blocked), this would allow
> > people to run webservers and tor-relays on one IP.

I doubt connecting to tor on port 80 from inside a corporate
firewall would work -- usually those are behind actual HTTP
proxies that will block anything that's not HTTP.

> > This could become the "killer application" for sslh.

I don't know how many people use Tor, but I doubt it's more
than the number that use ssh. Even with Tor support, sslh's
main feature would remain ssh, IMHO :-)


On Mon, Apr 30, 2012 at 09:59:54AM +0100, Jon Spriggs wrote:
> You might find more traction in asking the TOR project to amend their
> project to enable relaying of HTTPS requests not destined for the TOR
> relay/node. They may even be able to use the signatures identified by
> this project to relay other traffic, but I doubt either will happen.

That's one possibility (either have Tor forward unknown
traffic further, to sslh, or make sslh into a library that
Tor would use).

Do you know much about Tor? It uses SSL, and I'm thinking if
you know which certificate the node advertises as
Tor-as-a-server and that Tor-as-a-client uses SNI, then it'd
be possible to sort connections for Tor from connections
for HTTPS.

For example:

On my server, I create a certificate with DN
'tor.example.org' that I'll use for Tor connections, and
another certificate called 'https.example.org'. I tell Tor
to advertise 'tor.example.org' to other Tor nodes.

Then I tell sslh to look at the SNI header, and configure it
to forward to the appropriate server based on the requested
DN.

Unfortunately I can't find if that's possible with Tor, and
it's way too sunny to look it up today.

Cheers,
Y.