Shane Hathaway wrote:
But you don't need reliability compensation to multiplex. SSH assumes the transport layer is reliable. So an SSH tunnel and an SSL tunnel are virtually synonymous.
They're not really, but yeah, I was wrong :) A SSL forwarder takes a packet, and then sends over another TCP connection that happens to be encrypted. It's basically a TCP port forwarder. Multiple client connections through the local SSL forwarder (e.g. stunnel) will run over *multiple* outgoing streams: client --> stunnel on localhost ---> stunnel on www.foo.com ----> server on www.foo.com SSH OTOH uses a multiplexing protocol, where multiple streams of data run over the same connection, and each have their own flow control. Multiple client connections over a SSH port forwarder will run over the same *single* stream. A third thing is TCP over TCP, i.e. PPP over SSH or SSL, which functions as a full network connection.
The Python standard library has good support for an SSL client but not for an SSL server.
pyOpenSSL is good for both servers and clients. Could be better, but it's easy to start using it, especially for select() based servers (its thread-safety is iffy). Twisted's SSL stuff uses it, and latest version of pyOpenSSL may have asyncore example.