[Zope-dev] OpenSSH configuration between ZEO clients & storage
server
Itamar Shtull-Trauring
twisted@itamarst.org
Wed, 27 Mar 2002 19:01:10 +0200
Shane Hathaway wrote:
> But you don't need reliability compensation to multiplex. SSH assumes
> the transport layer is reliable. So an SSH tunnel and an SSL tunnel are
> virtually synonymous.
They're not really, but yeah, I was wrong :)
A SSL forwarder takes a packet, and then sends over another TCP
connection that happens to be encrypted. It's basically a TCP port
forwarder. Multiple client connections through the local SSL forwarder
(e.g. stunnel) will run over *multiple* outgoing streams:
client --> stunnel on localhost ---> stunnel on www.foo.com ----> server
on www.foo.com
SSH OTOH uses a multiplexing protocol, where multiple streams of data
run over the same connection, and each have their own flow control.
Multiple client connections over a SSH port forwarder will run over the
same *single* stream.
A third thing is TCP over TCP, i.e. PPP over SSH or SSL, which functions
as a full network connection.
> The Python standard library has good support for an SSL client but not
> for an SSL server.
pyOpenSSL is good for both servers and clients. Could be better, but
it's easy
to start using it, especially for select() based servers (its thread-safety
is iffy). Twisted's SSL stuff uses it, and latest version of pyOpenSSL
may have asyncore example.