-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Toni Mueller wrote: | Hi, | | On Thu, 01.09.2005 at 19:29:57 +0200, Markus Wernig <[EMAIL PROTECTED]> wrote: | |>Squid is different. Usually, it doesn't do SSL itself, but just passes |>the connection on.
| it does, however, talk SSL to the outside server. No, the client does. | | |>You might be able to code around that by terminating two distinct |>sessions on the gateway, and have the gateway read the data channel, | | [...] I am also a bit undecided about the usefulness | of such devices. Erm ... wasn't it you to suggest "that the control channel could be used to break end-to-end encryption into two pieces, originating or terminating at the gateway machine"? As said above, it would be technically feasible. | Eg. I like to have my borders secured by OpenBSD, but | I also like to have FTP access secured by SSL, thus making | password-sniffing a bit more difficult. Having to chose between no | firewall at the border on the one side and no SSL on the FTP server on | the other is no satisfacory answer. | Hmm, considered using sftp? The main reason why FTPS hasn't been adopted as a standard like FTP is actually the fact that it kept to FTP's original design (separate control and data connection, dynamic port allocation) while introducing encryption, which is still fine if there are no stateful devices in the path. It simply doesn't work anymore in the internet of today. Take away the concept of splitting control and data over two distinct TCP sessions, and FTPS will probably see the same success as FTP. <rant>As to the reasons why FTP uses the design it does, the only thing that comes to my mind right now is shortcomings in the network stacks of the systems of that time like - say - the absence of the "select" or "fork" system calls or of other multiplexing capabilities. </rant> But I suppose there were better reasons which I simply can't envision at the time :-) /m -----BEGIN PGP SIGNATURE----- iD8DBQFDF4Ac8BX/d8pVi/cRAlBYAKDCN1dCzE5KsWg43CpLxUSr8Dq+JgCgu5vp frG8gmqe7O/xUEOlJQ59z6E= =Yzzv -----END PGP SIGNATURE-----
