On Tue, Aug 21, 2007 at 04:36:46AM -0500, T.J. Yang wrote:
If hb encryption via stunnel is implemented then a port for plaintext redirection is needed.
No, you need to configure your clients to use the encrypted port. Or do some firewall redirecting of the traffic to the encrypted service.
What is the impact of mixing bb encrypted message and hb encrypted message protocols on same port number ? and I don't believe Quest publish the bb message encryption protocol.
I have no idea how Quest implements encryption in the commercial BB version. Most likely the Hobbit and BB encryption mechanisms will not be compatible - I don't see this as a problem, Hobbit clients have never been compatible with BB. The mechanism I see for Hobbit is like this:
CLIENT SERVER
Connect to server Accept connection Send "STARTTLS\n" Send "OK\n" Perform TLS handshake Perform TLS handshake (Validate server cert) (Validate client cert) Exchange data Exchange data
Which is similar to how quite a few of the standard Internet protocols implement a "TLS upgrade" of the communication.
The certificate validation is optional, but quite trivial to implement. So this will also allow for fine-grained control over who can feed data into Hobbit.
Regarding the request for a dedicated port number: The problem is that I really do not believe IANA would be willing to assign a port number for Hobbit - it would be against their stated policy of not assigning different portnumbers for the plain-text and encrypted versions of an application-layer protocol. Since BB already has a port number assignment, getting a new one for Hobbit doesn't seem likely.
Henrik