Corporate firewall braindamage

["H. Peter Anvin" <hpa@zytor.com>]

The apparent commonality of corporate firewall braindamage, and the 
resulting "need" of people to pull over dumb (http) transport, is an 
ongoing problem on kernel.org.

I have thought some about what can be done to improve the situation, and 
I have come up with the following list of possibilities, pretty much 
listed in order from easiest and least generic to hardest and most generic.

It would be very interesting if people who have familiarity with this 
particular class of braindamaged firewalls could comment on how many 
users would be helped by which ones of these solutions.


1. git protocol via CONNECT http proxy

    Connect to http proxy, and use a CONNECT method to establish a link
    to the git server, using the normal git protocol.

    Minor change to TCP connection setup, but no other changes needed.
    No changes on the server side.


2. git protocol over SSL via CONNECT http proxy

    Same as #1, but encapsulate the data stream in an SSL connection.
    If the git server is run on port 443, then the fact that the data
    on the SSL connection isn't actually HTTP should be invisible to the
    proxy, and thus this *should* work anywhere which allows https://
    traffic.

    Requires the git server to speak SSL.


3. git protocol encapsulated in HTTP POST transaction

    git protocol is already fundamentally a RPC protocol, where the
    client sends a query and the server responds.  Furthermore, it
    tries to minimize the number of round trips (RPC calls), which is
    of course desirable.

    Each such RPC transaction could be formulated as an HTTP POST
    transaction.

    This requires modifications to both the client and the server;
    furthermore, the server can no longer rely on the invariant "one TCP
    connection == one session"; a proxy might break a single session
    into arbitrarily many TCP connections.

Thoughts?

	-hpa