This is access through a proxy followed by a patched Apache2 with "AllowCONNECT" and "SSLVerifyClient require" options set.
The server requires "-cert" to be signed by "SSLCACertificateFile" and the client requires "SSLCertificateFile" to be signed by "-CAfile".
<VirtualHost *:443>
SSLEngine on
# enable SSLv3 and TLSv1, but not SSLv2
# SSLv2 has been cracked
SSLProtocol all -SSLv2
# use only the best cipher! - check string with "openssl ciphers -v $'AES256-SHA'"
SSLCipherSuite AES256-SHA
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# we are this certificate
SSLCertificateFile /usr/local/lib/ssl/certs/apache.crt
SSLCertificateKeyFile /usr/local/lib/ssl/private/apache.key
# our cert was from our root
SSLCertificateChainFile /usr/local/lib/ssl/cacert.pem
# we expect clients to have a cert signed with our root's private key
SSLCACertificateFile /usr/local/lib/ssl/cacert.pem
SSLCARevocationPath /usr/local/lib/ssl/crl/
SSLCADNRequestFile /usr/local/lib/ssl/cacert.pem
SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth +StrictRequire
SSLVerifyClient require
# SSL functions as a forward proxy to interesting places
ProxyRequests On
ProxyVia On
# allow connection to interesting ports
AllowCONNECT 443 22 5222 5223 119 576
<Proxy *>
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
Allow from 192.0.2.0/24 2001:db8::/32
</Proxy>
</VirtualHost>
This should also check verify the server certificate, and abandon the connection if it is not right.
#!/bin/bash
CERT=/usr/local/lib/ssl/certs/cert.pem
KEY=/usr/local/lib/ssl/private/private.key
TRUSTED=/usr/local/lib/ssl/certs/trusted.crt
# first connect to the webserver on its SSL port via the local proxy
nc6 -l -s 127.0.0.1 -p 0 --exec "nc.openbsd -X connect -x $1 $2 443" &
C=($(jobs -l|tail -1))
PID=${C[1]}
D=($(netstat -lnp 2>&-|grep ${PID}/nc6))
PORT=${D[3]}
# user is to see if the server certificate is not as expected
exec 4>&2
# open a SSL session on the webserver
nc6 -l -s 127.0.0.1 -p 0 --exec "2>&4 /usr/bin/openssl s_client -nbio -verify -1 \
-quiet -connect ${PORT} -cert ${CERT} \
-key ${KEY} -CAfile ${TRUSTED}" &
C=($(jobs -l|tail -1))
PID=${C[1]}
D=($(netstat -lnp 2>&-|grep ${PID}/nc6))
PORT=${D[3]}
# treat this webserver as a proxy to connect to the destination within the SSL tunnel
exec nc.openbsd -X connect -x ${PORT} localhost 22
To use, add something like this to ~/.ssh/config
Host tunnel ProxyCommand ssltunnel wpad:8080 remote.example.net
Then you may connect to the remote SSH server inside SSL with ssh tunnel