Secure Socket Tunneling Protocol

Secure Socket Tunnelling Protocol (SSTP) is a proprietary standard owned by Microsoft. This means that the code is not open to public scrutiny, and Microsoft’s history of co-operating with the NSA, and on-going speculation about possible backdoors built-in to the Windows operating system, does not inspire my trust and confidence in the standard.

Secure Socket Tunneling Protocol (SSTP) is a tunnelling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL/TLS v3) channel of the HTTPS protocol. The use of PPP data frames allows support for strong authentication methods, such as EAP-TLS. SSL/TLS provides transport-level security with enhanced key negotiation, encryption, and integrity checking.

When a client tries to establish a SSTP-based VPN connection, SSTP first establishes a bidirectional HTTPS layer with the SSTP server. Over this HTTPS layer, the protocol packets flow as the data payload.

  1. Client connects to Internet and establishes a TCP connection to server over port 443.
  2. On top of this TCP session, SSL negotiation takes place. Client receives the server certificate during the SSL authentication phase and validates it. If not valid, the connection is disconnected. No client (or user) authentication happens on the server side at the SSL phase.
  3. Client sends HTTPS request on top of the encrypted SSL session.
  4. Client sends SSTP control packets on top of the HTTPS session. Once SSTP state machine is up on both sides, lower-link up indication is given to PPP layer on both ends.
  5. PPP negotiation (on top of SSTP over HTTPS) takes place. Client is authenticated on server and depending on the authentication algorithm, server is authenticated on client.
  6. PPP completes and attaches IP interfaces on both sides: The IP address given by the VPN server to the client and IP address server appear to be on the same LAN.