The latest version of ProxyTunnel was released at FOSDEM over the weekend which includes a patch I wrote to allow an SSH tunnel to work over a secure HTTP connection. In brief, there are now two ways to use SSL encryption in ProxyTunnel:

1. Standard (–encrypt option)

   1. Connect to internal proxy server using HTTP
   2. Issue CONNECT command
   3. Perform SSL handshake with remote server
   4. Start tunnel

2. Modified (–encrypt-proxy option)

   1. Connect to external proxy server using HTTPS
   2. Issue CONNECT command
   3. Start tunnel

Option 1 is the existing option, which is useful for layer 7 inspection firewalls. By wrapping the tunnel in SSL at both ends, the firewall perceives that the traffic represents a valid SSL connection regardless of its contents, and so lets it pass. Option 2 is the new option added by my patch, and allows a HTTPS site running on Apache somewhere on the internet (which may also be used to host an existing secure website) to host a tunnel another machine. For those of you interested in more information, I highly recommend reading Dag Wieer’s site SSH tunneling page here.

One final aspect of the patch which is likely to be overlooked is that it introduces an abstraction API called streams to handle both SSL and non-SSL traffic. This made the final modifications trivial, since the only thing that changed between the two options was the timing of the SSL handshake on the connection. It also allowed most of the #ifdef USE_SSL ... #endif statements to be moved into one location, rather than scattered arbitrarily through many different files which should make the application much more robust in the face of future changes.