Philippe Lemesle wrote: > Hello, all. > > At work, the admins are so paranoid that the policy is to block all internet > access to ensure security. > The only way to go to the Internet is by the way of an HTTP-proxy which > offers > SSL functionnality. > The admins are aware the some employees use VPN over SSL. In fact, they are > currently studying the option of cutting down SSL functionnality of the HTTP- > proxy. > So it's possible that in the near future I won't be able to use OpenVPN > anymore. > > I've studied alternative solutions and found a software called HTTHost > (coupled > with HTTPort for the client part). > HTTHost is able to pass plain non-SSL HTTP-proxy via an option called "remote > host". > But it's less flexible than OpenVPN because it only tunnels TCP connections > and > doesn't offer true VPN functionnality. > > So, it would be really nice if someone could add a functionality to the > --http- > proxy command so that we can connect to remote host through an non-SSL HTTP > proxy. >
AFAIK, the so called ssl functionality you are talking about uses the HTTP CONNECT method. Unless your network admin doesn't want to allow your users to access any https site, it should be enabled in the network proxy. Normally it only is enabled on TCP port 443, which is luckily open in almost any ISP in the world. So i use it to make an OpenVPN connection as normal. Using the method described in the HTTPort page is horrible because your latency increases dramatically and you need a "man in the middle" doing the dirty job. I belive that, it would be impossible to implement this feature in OpenVPN, without putting aside the whole security model it is built around (SSL/TLS, they require a "real" TCP or UDP connection to work). And even if it is implemented, in a similar way that HTTPort does, it would loose almost of it's VPN functionality. So i don't believe it would or should be implemented. I can break through firewalls using many different ways, but i almost never saw only one proxy that had the method CONNECT disabled. I believe that if you are in a very restrict network, and it is in your enterprise policy that you shouldn't do this kind of connection, then you are risking your job, even if the traffic is encrypted. I only do this kind of break through in my university, and even there, i managed to ask if it was a break in the network usage policy. My 6 cents, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current Snike Tecnologia em Informática 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
signature.asc
Description: OpenPGP digital signature
