now im really not sure, since the wikipedia page on stunnel also describes the program doing exactly what i need in the Example scenario section: https://en.wikipedia.org/wiki/Stunnel#Example_scenario
"Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic and forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client. "
only difference is, i need it to forward "unsecured traffic" to my browser client, not a server. are you all sure its really not possible?
On 12/5/18, kovacs janos kovacsjanosfasz@gmail.com wrote:
thank you for suggestions, but can someone tell me in what cases stunnel can be used? i can connect to http websites through it, but https doesnt work, even if it would otherwise do. i try to connect to 'https://via.hypothes.is/' like this, which i can access in browser without any proxy: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = via.hypothes.is:443
i get these logs: LOG5[1]: Service [Tunnel_in] accepted connection from 127.0.0.1:1788 LOG5[1]: s_connect: connected 104.20.214.15:443 LOG5[1]: Service [Tunnel_in] connected remote server from 192.168.0.3:1789 LOG5[1]: Connection closed: 197 byte(s) sent to TLS, 332 byte(s) sent to socket
and the browser just shows a 'server not found' error. with http sites its the same logs except the IP and bytes, and it loads in the browser.
On 12/5/18, Flo Rance trourance@gmail.com wrote:
I would recommend to use squid which is able to do SSL bump.
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
Therefore, you'll be able to connect with TLS1.0 to squid and the proxy will establish a TLSv1.2 to the final destination.
Regards, Flo
On Tue, Dec 4, 2018 at 9:38 PM kovacs janos kovacsjanosfasz@gmail.com wrote:
well, what i meant is forwarding to the current address the browser connects to, so basically browsing through stunnel.
is it really that complicated to achieve that? if i configure stunnel as a client, and make the browser send traffic to the accept address, shouldnt stunnel encrypt the traffic with TLS and send forward to the connect address? if thats true, shouldnt it also decrypt returning traffic and send back to the browser? when i configured stunnel as both client and server on the same computer, it worked, but the browser still gave 'ssl_error_no_cypher_overlap' errors. probably because the server side decrypted it again before it reached the website's server?
i dont necessarily need it to strip encryption, just use anything below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit sites that would otherwise give cypher error, and they stay as https
On 12/4/18, Zizhong Zhang zizazit@protonmail.com wrote:
Hello,
im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy.
If by "forward to the current site address dynamically" you meant
"forward
to the current address of one specific domain" then stunnel can achieve
that
by adding "delay = yes".
However, if I understood correctly, you wanted to let stunnel strip or remove SSL for whatever sites you visit. Then no, I don't think you
can
achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS.
events {} http { server { resolver 9.9.9.9; listen 80; location / { proxy_pass https://$host$request_uri; proxy_set_header Host $http_host; } }}
You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy.
That won't strip third-party HTTPS:// URL resources like NewIPNow does,
but
you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML.
Also
there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those.
--Zizhong
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users