Opened 5 years ago

Last modified 4 years ago

#594 new Feature Wish

HTTPS (SSL) proxy support

Reported by: ValdikSS Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: proxy
Cc:

Description

I'd like to see so-called HTTPS proxy support in OpenVPN. Basically this is usual HTTP proxy with TLS layer above it. This is not standardized and currently supported by Chromium and Firefox only. Since handshake process with this proxy looks like a usual SSL (HTTPS) handshake, adding support would help to bypass OpenVPN protocol blocks in some countries like Turkmenistan and China (probably others too) and it should not be that hard to add because OpenVPN supports usual HTTP (CONNECT) proxy.

Change History (1)

comment:1 Changed 4 years ago by jhaar

If this is done, I think the following features would be needed to make it robust and secure

  1. make sure the client TLS negotiation includes SNI (just because that's what all browsers do, and someone might be running the server on CloudFlare/Akamai? who reject TLS without SNI)
  1. do cert validation of the HTTPS proxy if wanted. I can imagine some implementations would:
  • use the openvpn server cert on the proxy too (so it would already match the current "--ca" setting on the client)
  • others may want a different valid cert, so maybe it would need a "https-ca" option. eg a network of openvpn clients/servers using an internal CA, but the HTTPS proxy uses a standard Verisign/etc CA signed server cert
  • don't validate the cert at all, so it would allow the client to bounce through a non-validated HTTPS proxy. This is still secure as you're not relying on the HTTPS tunnel to provide any security - it still has the full openvpn session in place. In fact, maybe the other two aren't needed - just use the HTTPS proxy and don't validate at all?

Jason

Note: See TracTickets for help on using tickets.