[Date Prev][Date Next]
Re: LDAP access through HTTP-CONNECT
"Kurt D. Zeilenga" wrote:
> Most HTTP-CONNECT proxies are able to restrict by IP address
> and/or port. Some HTTP-CONNECT proxies are able to restrict
> sessions to TLS/SSL. That is, they verify the first few
> octets are TLS/SSL exchanges.
Food for thought:
pppd -> stunnel -c -> HTTP proxy -> stunnel (port 443) -> pppd
Et voila! Show me the proxy admin who permits HTTP connect but
prevents you from accessing SSL port 443.
Kids! Don't try this at work! ;-)
> No. A TCP proxy w/ HTTP-CONNECT support can be setup on a local
> workstation to proxy any TCP stream through an HTTP-CONNECT proxy.
It seems that I got you slightly wrong. But nevertheless it's a
fixed setup to a certain connection.
> Here the LDAP client connects to localhost:port which the TCP-proxy
> forwards to the HTTP proxy which forwards to the LDAP server.
Yes, but I'd like to implement a client which can use the proxy
without installing anything else. I already thought about
automatically starting a forwarding TCP proxy demon with support for
HTTP-CONNECT but this opens a
security hole to a local attacker because I can't imagine a generic
way to protect the local proxy demon from being accessed by another
process on this machine.
> Such tunneling is best left outside
> of specific protocols and protocol APIs and implemented in
> more general ways (such as TCP proxies).
I disagree. IMHO some sort of proxy support for LDAP connections
should be part of the client lib to make sure that the LDAP
connection end-point is really accessible solely for the LDAP
application which opened the connection.