With a red face.
It turns out the author did roll the proxy support into stunnel. It was a new feature as of version 4.15 way back in November 2005.
Mea culpa once again.
On the SWG front it appears that even our nameless manufacturer’s tech support people can’t get SSL inspection to run out of the box. It’s been somewhat frustrating dealing with them but I won’t get into that.
Meanwhile I’m testing this thing without SSL inspection. The secret sauce I cooked into my own private (HACKED) version of PoTTY works fine. It slips through this thing like a hot, invisible knife through warm, rancid butter. But so far, the secret sauce works only with PoTTY and I’m beating my brains out trying to determine why.
I cooked it into stunnel and all it does is FAIL. I pulled up Wireshark and looked into the differences in how they connect, found them, and then hacked stunnel around to connect exactly like PoTTY connects.
Still: FAIL
The difference, if you’re interested, is that PoTTY sends its headers all at once to the proxy right after the three-way handshake, whereas stunnel sends them one-by-one. That wasn’t too terribly difficult to hack around, although in the process I broke proxy authentication. That’s not an issue in this environment. In fact, it’s never been an issue, which makes me think the secret sauce may not work in an environment that requires authentication… but that’s a side issue right now.
There are a few avenues left, one of which, if it works, will simply prove this device is brain-dead in its silly assumptions about what SSL is.
Stay tuned.
0 Responses to “Reading The Docs… Again…”
Leave a Reply