Hi Janos,
you can use a local proxy to "translate" HTTPS TLS1.0 to TLS1.2 Look here:
https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-a...
HTTPSProxy (and tools) manage the whole traffic locally (in- and outgoing HTTPS), but needs manually configuration as described in the help files. If you have questions please ask in this forum.
Regards Thomas S.
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of stunnel-users-request@stunnel.org Sent: Wednesday, December 05, 2018 10:12 AM To: stunnel-users@stunnel.org Subject: stunnel-users Digest, Vol 173, Issue 4
Send stunnel-users mailing list submissions to stunnel-users@stunnel.org
To subscribe or unsubscribe via the World Wide Web, visit https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users or, via email, send a message with subject or body 'help' to stunnel-users-request@stunnel.org
You can reach the person managing the list at stunnel-users-owner@stunnel.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of stunnel-users digest..."
Today's Topics:
1. Re: older browsers, stunnel and privoxy (kovacs janos) 2. Re: older browsers, stunnel and privoxy (Zizhong Zhang) 3. Re: older browsers, stunnel and privoxy (kovacs janos) 4. Re: older browsers, stunnel and privoxy (Flo Rance)
----------------------------------------------------------------------
Message: 1 Date: Tue, 4 Dec 2018 19:27:15 +0100 From: kovacs janos kovacsjanosfasz@gmail.com To: Flo Rance trourance@gmail.com Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] older browsers, stunnel and privoxy Message-ID: CAOchpkrOTmoAgCpv4fK19NhZeP-5-JgjX3EASFcfQbMVydR2yA@mail.gmail.com Content-Type: text/plain; charset="UTF-8"
well yes, im pretty sure the same encryption is needed in requests and the returned page, otherwise it would probably get a no cypher overlap error.
so i basically need stunnel to encrypt outgoing requests, and decrypt the returned things and only on the browser side of connection.
there's a good reason why they are deprecated, but it would be better to add this functionality this way if possible, rather than change whole programs, especially when its the purpose of stunnel, according to the description
On 12/4/18, Flo Rance trourance@gmail.com wrote:
This is not what I've understood from your first description. You would like to bridge TLSv1 to TLSv1.1 or TLSv1.2 before sending requests to a web proxy.
This is why I don't think stunnel is intended for that.
That said, if SSLV3 and TLSv1 have been deprecated, there's a good reason and you should seriously think to update your tools.
Regards, Flo
On Tue, Dec 4, 2018 at 3:18 PM kovacs janos kovacsjanosfasz@gmail.com wrote:
well, it says this on the first line of the website: "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code."
i just want to add TLS functionality to client browsers which dont have it. i only need stunnel to decrypt TLS traffic going back to the browser.
On 12/4/18, Flo Rance trourance@gmail.com wrote:
Sorry I didn't read it correctly. I don't think this is something stunnel can handle.
Regards, Flo
On Mon, Dec 3, 2018 at 9:31 PM kovacs janos kovacsjanosfasz@gmail.com wrote:
thank you for the reply, its the address and port where privoxy listens for requests. from the config file: "# 4.1. listen-address # ==================== # # Specifies: # # The IP address and TCP port on which Privoxy will listen for # client requests." and under it:
listen-address 127.0.0.1:8118
On 12/3/18, Flo Rance trourance@gmail.com wrote:
Hi,
It's not clear in your description what is running on 8118 local port.
Regards, Flo
On Mon, Dec 3, 2018 at 2:40 PM kovacs janos <
kovacsjanosfasz@gmail.com>
wrote:
sorry to bother, im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy. the browser is configured to send to: 127.0.0.1 443
stunnel config has this at the end: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = 127.0.0.1:8118 verifyChain = yes CAfile = ca-certs.pem checkHost = localhost
127.0.0.1:8118 is the privoxy address. this is what stunnel writes: LOG5[main]: Configuration successful LOG5[0]: Service [Tunnel_in] accepted connection from 127.0.0.1:3261 LOG5[0]: s_connect: connected 127.0.0.1:8118 LOG5[0]: Service [Tunnel_in] connected remote server from
127.0.0.1:3262
and the browser infinitely loads, and never loads anything or leaves the page. if i remove the last 3 lines, its the same just with this line added: LOG4[main]: Service [Tunnel_in] needs authentication to prevent MITM attacks
but it doesnt give an error or anything.
with a configuration like: [Tunnel_out] client = no accept = 127.0.0.1:443 connect = 127.0.0.1:8118 cert = stunnel.pem
this is what it gives: LOG5[3]: Service [Tunnel_out] accepted connection from
127.0.0.1:3294
LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
and browser gives a server not found error immediately. im not even sure if i should use client or server configuration in a case like this, but none of them works anyway. all i would need is for my browser to get the pages decrypted, or at least in less than TLS1.1. like how on newipnow.com i can access sites with any encryption,
since
they are sent to the browser without encryption. the browser just gives an "unencrypted tunnel" warning, which is how i found stunnel, and which is exactly what i need, just locally. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
------------------------------
Message: 2 Date: Tue, 04 Dec 2018 19:16:53 +0000 From: Zizhong Zhang zizazit@protonmail.com To: kovacs janos kovacsjanosfasz@gmail.com Cc: "stunnel-users@stunnel.org" stunnel-users@stunnel.org Subject: Re: [stunnel-users] older browsers, stunnel and privoxy Message-ID: mSx8WOjppmpWbvW5ETuPUXO048xh4PcPTtZPpOpzkrecueeSUtjQQx13FhtLO24lkyNXRPe_lNpMV8ko6RMEvowOx7mg6rl_1hwj43QAxWw=@protonmail.com Content-Type: text/plain; charset=UTF-8
Hello,
im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy.
If by "forward to the current site address dynamically" you meant "forward to the current address of one specific domain" then stunnel can achieve that by adding "delay = yes".
However, if I understood correctly, you wanted to let stunnel strip or remove SSL for whatever sites you visit. Then no, I don't think you can achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS.
events {} http { server { resolver 9.9.9.9; listen 80; location / { proxy_pass https://$host$request_uri; proxy_set_header Host $http_host; } }}
You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy.
That won't strip third-party HTTPS:// URL resources like NewIPNow does, but you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those.
--Zizhong
------------------------------
Message: 3 Date: Tue, 4 Dec 2018 21:37:53 +0100 From: kovacs janos kovacsjanosfasz@gmail.com To: Zizhong Zhang zizazit@protonmail.com Cc: "stunnel-users@stunnel.org" stunnel-users@stunnel.org Subject: Re: [stunnel-users] older browsers, stunnel and privoxy Message-ID: CAOchpkq7vG8vHBCrbVn6d4Eh7M2rd6jEob_huhoG=ZefJnpHLw@mail.gmail.com Content-Type: text/plain; charset="UTF-8"
well, what i meant is forwarding to the current address the browser connects to, so basically browsing through stunnel.
is it really that complicated to achieve that? if i configure stunnel as a client, and make the browser send traffic to the accept address, shouldnt stunnel encrypt the traffic with TLS and send forward to the connect address? if thats true, shouldnt it also decrypt returning traffic and send back to the browser? when i configured stunnel as both client and server on the same computer, it worked, but the browser still gave 'ssl_error_no_cypher_overlap' errors. probably because the server side decrypted it again before it reached the website's server?
i dont necessarily need it to strip encryption, just use anything below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit sites that would otherwise give cypher error, and they stay as https
On 12/4/18, Zizhong Zhang zizazit@protonmail.com wrote:
Hello,
im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy.
If by "forward to the current site address dynamically" you meant "forward to the current address of one specific domain" then stunnel can achieve that by adding "delay = yes".
However, if I understood correctly, you wanted to let stunnel strip or remove SSL for whatever sites you visit. Then no, I don't think you can achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS.
events {} http { server { resolver 9.9.9.9; listen 80; location / { proxy_pass https://$host$request_uri; proxy_set_header Host $http_host; } }}
You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy.
That won't strip third-party HTTPS:// URL resources like NewIPNow does, but you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those.
--Zizhong
------------------------------
Message: 4 Date: Wed, 5 Dec 2018 10:12:06 +0100 From: Flo Rance trourance@gmail.com To: kovacsjanosfasz@gmail.com Cc: zizazit@protonmail.com, stunnel-users@stunnel.org Subject: Re: [stunnel-users] older browsers, stunnel and privoxy Message-ID: CAHogYcV+ig2-2u8CWYbbqH_AnkiZNzqM9etx=jHj3N+nug-FpQ@mail.gmail.com Content-Type: text/plain; charset="utf-8"
I would recommend to use squid which is able to do SSL bump.
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
Therefore, you'll be able to connect with TLS1.0 to squid and the proxy will establish a TLSv1.2 to the final destination.
Regards, Flo
On Tue, Dec 4, 2018 at 9:38 PM kovacs janos kovacsjanosfasz@gmail.com wrote:
well, what i meant is forwarding to the current address the browser connects to, so basically browsing through stunnel.
is it really that complicated to achieve that? if i configure stunnel as a client, and make the browser send traffic to the accept address, shouldnt stunnel encrypt the traffic with TLS and send forward to the connect address? if thats true, shouldnt it also decrypt returning traffic and send back to the browser? when i configured stunnel as both client and server on the same computer, it worked, but the browser still gave 'ssl_error_no_cypher_overlap' errors. probably because the server side decrypted it again before it reached the website's server?
i dont necessarily need it to strip encryption, just use anything below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit sites that would otherwise give cypher error, and they stay as https
On 12/4/18, Zizhong Zhang zizazit@protonmail.com wrote:
Hello,
im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy.
If by "forward to the current site address dynamically" you meant
"forward
to the current address of one specific domain" then stunnel can achieve
that
by adding "delay = yes".
However, if I understood correctly, you wanted to let stunnel strip or remove SSL for whatever sites you visit. Then no, I don't think you
can
achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS.
events {} http { server { resolver 9.9.9.9; listen 80; location / { proxy_pass https://$host$request_uri; proxy_set_header Host $http_host; } }}
You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy.
That won't strip third-party HTTPS:// URL resources like NewIPNow does,
but
you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML.
Also
there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those.
--Zizhong
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users