Now trying to create an https proxy for Outlook Web Access with Zorp GPL 3.1.12. 1. It looks like some of the constants are named differently than the Zorp GPL tutorial at http://www.balabit.hu/network-security/zorp-gateway/gpl/tutorial/, for example it mentions PSSL_VERIFY_NONE and PSSL_VERIFY_REQUIRED_TRUSTED in the example in section 5.6, but the code for the included Pssl.py v. 1.28 says SSL_VERIFY_NONE = 0 SSL_VERIFY_OPTIONAL = 1 SSL_VERIFY_REQUIRED_UNTRUSTED = 2 SSL_VERIFY_REQUIRED_TRUSTED = 3 (without the "P") 2. Looks like some methods and constants mentioned in the Zorp Gateway v3.1 SSL tutorial PDF aren't there, for example Methods: server_ssl_method server_disable_proto server_ssl_cipher Constants: PSSL_METHOD_SSLV23 Permit the use of SSLv2 and v3. PSSL_METHOD_SSLV2 Permit the use of SSLv2 exclusively. PSSL_METHOD_SSLV3 Permit the use of SSLv3 exclusively. PSSL_METHOD_TLSV1 Permit the use of TLSv1 exclusively. PSSL_METHOD_ALL Permit the use of all the supported (SSLv2, SSLv3, and TLSv1) protocols. Is this because these are only defined in the Pssl module for Zorp Pro? 3. Using a policy.py containing from Zorp.Core import * from Zorp.Http import * from Zorp.Plug import * from Zorp.Pssl import * def Zhttps(): Service("INhttps", INhttps, router=DirectedRouter(SockAddrInet("10.0.0.9", 80))) Listener(SockAddrInet("aaa.bbb.ccc.ddd", 50443), "INhttps") class StrongPsslProxy(PsslProxy): def config(self): PsslProxy.config(self) #docs say PSSL_VERIFY_NONE self.client_verify_type = SSL_VERIFY_NONE self.server_ca_directory = "/etc/ssl/certs/" #PDF docs want more here - #self.server_ssl_method = PSSL_METHOD_TLSV1 #self.server_disable_proto = TRUE #self.server_ssl_cipher = PSSL_CIPHERS_HIGH class INhttps(StrongPsslProxy): def config(self): StrongPsslProxy.config(self) self.server_need_ssl=FALSE self.server_keypair_files = ("/etc/ssl/certs/owa.crt", "/etc/ssl/private/owa.key") self.stack_proxy=(Z_STACK_PROXY, OWAHttpProxy) #wild guess on my part, maybe this will help self.client_need_ssl=TRUE class OWAHttpProxy(HttpProxy): def config(self): HttpProxy.config(self) self.request_header["Front-End-Https"]=(HTTP_HDR_INSERT, "on") I'm seeing in my logs stuff like Feb 17 16:09:49 localhost zorp/Zhttps[5552]: (svc/INhttps:0): Starting proxy instance; client_fd='15', client_address='AF_INET(aaa.bbb.ccc.def:3139)', client_zone='Zone(inter, 0.0.0.0/0)', client_local='AF_INET(aaa.bbb.ccc.ddd:443)', client_protocol='TCP' Feb 17 16:09:49 localhost zorp/Zhttps[5552]: (svc/INhttps:0/pssl): Server connection established; server_fd='18', server_address='AF_INET(10.0.0.9:80)', server_zone='Zone(intra, 10.0.0.0/24)', server_local='AF_INET(10.0.0.69:55718)', server_protocol='TCP' Feb 17 16:09:49 localhost zorp/Zhttps[5552]: (svc/INhttps:0/pssl): SSL handshake failed on the client side; error='error:1408A0C1:SSL routines:lib(20):SSL3_GET_CLIENT_HELLO:func(138):no shared cipher:reason(193)' Where 10.0.0.0 is the local network, aaa.bbb.ccc.ddd is my public IP, and aaa.bbb.ccc.def is the gateway address of my Snapgear (which my internal test client demaquerades as.) Looks like the protocol is defaulting to TCP instead of something sane like TLSV1, but I can't set it anywhere I can see. Is this disabled on purpose or is there something I can do to fix it? Thanks in advance! David Yerger