[Zope-dev] OpenSSH configuration between ZEO clients & storage server

[Shane Hathaway]

Itamar Shtull-Trauring wrote:
> Toby Dickenson wrote:
> 
>> but ssh port forwarding is only one layer of TCP. ssh port forwarding
>> is good.
> 
> 
> I'mp pretty sure it's TCP over TCP (ssh protocol does multiplexing). SSL 
> OTOH is not TCP over TCP.

I think you are mistaken. :-)  The site you referred to says that TCP 
over TCP is a bad idea because TCP always assumes an unreliable 
transport, and stacking the compensation results in excessive retries 
and a far less reliable connection.  I agree, this is likely to be a 
problem.

But you don't need reliability compensation to multiplex.  SSH assumes 
the transport layer is reliable.  So an SSH tunnel and an SSL tunnel are 
virtually synonymous.

Now, if ZEO accepted SSL connections directly, it would be quite secure 
and easy to use.  But an out-of-process SSL tunnel would suffer from 
exactly the same difficulties an SSH tunnel does.

The Python standard library has good support for an SSL client but not 
for an SSL server.

Shane