older browsers, stunnel and privoxy
sorry to bother, im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy. the browser is configured to send to: 127.0.0.1 443 stunnel config has this at the end: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = 127.0.0.1:8118 verifyChain = yes CAfile = ca-certs.pem checkHost = localhost 127.0.0.1:8118 is the privoxy address. this is what stunnel writes: LOG5[main]: Configuration successful LOG5[0]: Service [Tunnel_in] accepted connection from 127.0.0.1:3261 LOG5[0]: s_connect: connected 127.0.0.1:8118 LOG5[0]: Service [Tunnel_in] connected remote server from 127.0.0.1:3262 and the browser infinitely loads, and never loads anything or leaves the page. if i remove the last 3 lines, its the same just with this line added: LOG4[main]: Service [Tunnel_in] needs authentication to prevent MITM attacks but it doesnt give an error or anything. with a configuration like: [Tunnel_out] client = no accept = 127.0.0.1:443 connect = 127.0.0.1:8118 cert = stunnel.pem this is what it gives: LOG5[3]: Service [Tunnel_out] accepted connection from 127.0.0.1:3294 LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket and browser gives a server not found error immediately. im not even sure if i should use client or server configuration in a case like this, but none of them works anyway. all i would need is for my browser to get the pages decrypted, or at least in less than TLS1.1. like how on newipnow.com i can access sites with any encryption, since they are sent to the browser without encryption. the browser just gives an "unencrypted tunnel" warning, which is how i found stunnel, and which is exactly what i need, just locally.
Hi, It's not clear in your description what is running on 8118 local port. Regards, Flo On Mon, Dec 3, 2018 at 2:40 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
sorry to bother, im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy. the browser is configured to send to: 127.0.0.1 443
stunnel config has this at the end: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = 127.0.0.1:8118 verifyChain = yes CAfile = ca-certs.pem checkHost = localhost
127.0.0.1:8118 is the privoxy address. this is what stunnel writes: LOG5[main]: Configuration successful LOG5[0]: Service [Tunnel_in] accepted connection from 127.0.0.1:3261 LOG5[0]: s_connect: connected 127.0.0.1:8118 LOG5[0]: Service [Tunnel_in] connected remote server from 127.0.0.1:3262
and the browser infinitely loads, and never loads anything or leaves the page. if i remove the last 3 lines, its the same just with this line added: LOG4[main]: Service [Tunnel_in] needs authentication to prevent MITM attacks
but it doesnt give an error or anything.
with a configuration like: [Tunnel_out] client = no accept = 127.0.0.1:443 connect = 127.0.0.1:8118 cert = stunnel.pem
this is what it gives: LOG5[3]: Service [Tunnel_out] accepted connection from 127.0.0.1:3294 LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
and browser gives a server not found error immediately. im not even sure if i should use client or server configuration in a case like this, but none of them works anyway. all i would need is for my browser to get the pages decrypted, or at least in less than TLS1.1. like how on newipnow.com i can access sites with any encryption, since they are sent to the browser without encryption. the browser just gives an "unencrypted tunnel" warning, which is how i found stunnel, and which is exactly what i need, just locally. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
thank you for the reply, its the address and port where privoxy listens for requests. from the config file: "# 4.1. listen-address # ==================== # # Specifies: # # The IP address and TCP port on which Privoxy will listen for # client requests." and under it: listen-address 127.0.0.1:8118 On 12/3/18, Flo Rance <trourance@gmail.com> wrote:
Hi,
It's not clear in your description what is running on 8118 local port.
Regards, Flo
On Mon, Dec 3, 2018 at 2:40 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
sorry to bother, im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy. the browser is configured to send to: 127.0.0.1 443
stunnel config has this at the end: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = 127.0.0.1:8118 verifyChain = yes CAfile = ca-certs.pem checkHost = localhost
127.0.0.1:8118 is the privoxy address. this is what stunnel writes: LOG5[main]: Configuration successful LOG5[0]: Service [Tunnel_in] accepted connection from 127.0.0.1:3261 LOG5[0]: s_connect: connected 127.0.0.1:8118 LOG5[0]: Service [Tunnel_in] connected remote server from 127.0.0.1:3262
and the browser infinitely loads, and never loads anything or leaves the page. if i remove the last 3 lines, its the same just with this line added: LOG4[main]: Service [Tunnel_in] needs authentication to prevent MITM attacks
but it doesnt give an error or anything.
with a configuration like: [Tunnel_out] client = no accept = 127.0.0.1:443 connect = 127.0.0.1:8118 cert = stunnel.pem
this is what it gives: LOG5[3]: Service [Tunnel_out] accepted connection from 127.0.0.1:3294 LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
and browser gives a server not found error immediately. im not even sure if i should use client or server configuration in a case like this, but none of them works anyway. all i would need is for my browser to get the pages decrypted, or at least in less than TLS1.1. like how on newipnow.com i can access sites with any encryption, since they are sent to the browser without encryption. the browser just gives an "unencrypted tunnel" warning, which is how i found stunnel, and which is exactly what i need, just locally. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Sorry I didn't read it correctly. I don't think this is something stunnel can handle. Regards, Flo On Mon, Dec 3, 2018 at 9:31 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
thank you for the reply, its the address and port where privoxy listens for requests. from the config file: "# 4.1. listen-address # ==================== # # Specifies: # # The IP address and TCP port on which Privoxy will listen for # client requests." and under it:
listen-address 127.0.0.1:8118
On 12/3/18, Flo Rance <trourance@gmail.com> wrote:
Hi,
It's not clear in your description what is running on 8118 local port.
Regards, Flo
On Mon, Dec 3, 2018 at 2:40 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
sorry to bother, im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy. the browser is configured to send to: 127.0.0.1 443
stunnel config has this at the end: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = 127.0.0.1:8118 verifyChain = yes CAfile = ca-certs.pem checkHost = localhost
127.0.0.1:8118 is the privoxy address. this is what stunnel writes: LOG5[main]: Configuration successful LOG5[0]: Service [Tunnel_in] accepted connection from 127.0.0.1:3261 LOG5[0]: s_connect: connected 127.0.0.1:8118 LOG5[0]: Service [Tunnel_in] connected remote server from 127.0.0.1:3262
and the browser infinitely loads, and never loads anything or leaves the page. if i remove the last 3 lines, its the same just with this line added: LOG4[main]: Service [Tunnel_in] needs authentication to prevent MITM attacks
but it doesnt give an error or anything.
with a configuration like: [Tunnel_out] client = no accept = 127.0.0.1:443 connect = 127.0.0.1:8118 cert = stunnel.pem
this is what it gives: LOG5[3]: Service [Tunnel_out] accepted connection from 127.0.0.1:3294 LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
and browser gives a server not found error immediately. im not even sure if i should use client or server configuration in a case like this, but none of them works anyway. all i would need is for my browser to get the pages decrypted, or at least in less than TLS1.1. like how on newipnow.com i can access sites with any encryption, since they are sent to the browser without encryption. the browser just gives an "unencrypted tunnel" warning, which is how i found stunnel, and which is exactly what i need, just locally. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
well, it says this on the first line of the website: "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code." i just want to add TLS functionality to client browsers which dont have it. i only need stunnel to decrypt TLS traffic going back to the browser. On 12/4/18, Flo Rance <trourance@gmail.com> wrote:
Sorry I didn't read it correctly. I don't think this is something stunnel can handle.
Regards, Flo
On Mon, Dec 3, 2018 at 9:31 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
thank you for the reply, its the address and port where privoxy listens for requests. from the config file: "# 4.1. listen-address # ==================== # # Specifies: # # The IP address and TCP port on which Privoxy will listen for # client requests." and under it:
listen-address 127.0.0.1:8118
On 12/3/18, Flo Rance <trourance@gmail.com> wrote:
Hi,
It's not clear in your description what is running on 8118 local port.
Regards, Flo
On Mon, Dec 3, 2018 at 2:40 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
sorry to bother, im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy. the browser is configured to send to: 127.0.0.1 443
stunnel config has this at the end: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = 127.0.0.1:8118 verifyChain = yes CAfile = ca-certs.pem checkHost = localhost
127.0.0.1:8118 is the privoxy address. this is what stunnel writes: LOG5[main]: Configuration successful LOG5[0]: Service [Tunnel_in] accepted connection from 127.0.0.1:3261 LOG5[0]: s_connect: connected 127.0.0.1:8118 LOG5[0]: Service [Tunnel_in] connected remote server from 127.0.0.1:3262
and the browser infinitely loads, and never loads anything or leaves the page. if i remove the last 3 lines, its the same just with this line added: LOG4[main]: Service [Tunnel_in] needs authentication to prevent MITM attacks
but it doesnt give an error or anything.
with a configuration like: [Tunnel_out] client = no accept = 127.0.0.1:443 connect = 127.0.0.1:8118 cert = stunnel.pem
this is what it gives: LOG5[3]: Service [Tunnel_out] accepted connection from 127.0.0.1:3294 LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
and browser gives a server not found error immediately. im not even sure if i should use client or server configuration in a case like this, but none of them works anyway. all i would need is for my browser to get the pages decrypted, or at least in less than TLS1.1. like how on newipnow.com i can access sites with any encryption, since they are sent to the browser without encryption. the browser just gives an "unencrypted tunnel" warning, which is how i found stunnel, and which is exactly what i need, just locally. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
This is not what I've understood from your first description. You would like to bridge TLSv1 to TLSv1.1 or TLSv1.2 before sending requests to a web proxy. This is why I don't think stunnel is intended for that. That said, if SSLV3 and TLSv1 have been deprecated, there's a good reason and you should seriously think to update your tools. Regards, Flo On Tue, Dec 4, 2018 at 3:18 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
well, it says this on the first line of the website: "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code."
i just want to add TLS functionality to client browsers which dont have it. i only need stunnel to decrypt TLS traffic going back to the browser.
On 12/4/18, Flo Rance <trourance@gmail.com> wrote:
Sorry I didn't read it correctly. I don't think this is something stunnel can handle.
Regards, Flo
On Mon, Dec 3, 2018 at 9:31 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
thank you for the reply, its the address and port where privoxy listens for requests. from the config file: "# 4.1. listen-address # ==================== # # Specifies: # # The IP address and TCP port on which Privoxy will listen for # client requests." and under it:
listen-address 127.0.0.1:8118
On 12/3/18, Flo Rance <trourance@gmail.com> wrote:
Hi,
It's not clear in your description what is running on 8118 local port.
Regards, Flo
On Mon, Dec 3, 2018 at 2:40 PM kovacs janos < kovacsjanosfasz@gmail.com> wrote:
sorry to bother, im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy. the browser is configured to send to: 127.0.0.1 443
stunnel config has this at the end: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = 127.0.0.1:8118 verifyChain = yes CAfile = ca-certs.pem checkHost = localhost
127.0.0.1:8118 is the privoxy address. this is what stunnel writes: LOG5[main]: Configuration successful LOG5[0]: Service [Tunnel_in] accepted connection from 127.0.0.1:3261 LOG5[0]: s_connect: connected 127.0.0.1:8118 LOG5[0]: Service [Tunnel_in] connected remote server from 127.0.0.1:3262
and the browser infinitely loads, and never loads anything or leaves the page. if i remove the last 3 lines, its the same just with this line added: LOG4[main]: Service [Tunnel_in] needs authentication to prevent MITM attacks
but it doesnt give an error or anything.
with a configuration like: [Tunnel_out] client = no accept = 127.0.0.1:443 connect = 127.0.0.1:8118 cert = stunnel.pem
this is what it gives: LOG5[3]: Service [Tunnel_out] accepted connection from 127.0.0.1:3294 LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
and browser gives a server not found error immediately. im not even sure if i should use client or server configuration in a case like this, but none of them works anyway. all i would need is for my browser to get the pages decrypted, or at least in less than TLS1.1. like how on newipnow.com i can access sites with any encryption, since they are sent to the browser without encryption. the browser just gives an "unencrypted tunnel" warning, which is how i found stunnel, and which is exactly what i need, just locally. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
well yes, im pretty sure the same encryption is needed in requests and the returned page, otherwise it would probably get a no cypher overlap error. so i basically need stunnel to encrypt outgoing requests, and decrypt the returned things and only on the browser side of connection. there's a good reason why they are deprecated, but it would be better to add this functionality this way if possible, rather than change whole programs, especially when its the purpose of stunnel, according to the description On 12/4/18, Flo Rance <trourance@gmail.com> wrote:
This is not what I've understood from your first description. You would like to bridge TLSv1 to TLSv1.1 or TLSv1.2 before sending requests to a web proxy.
This is why I don't think stunnel is intended for that.
That said, if SSLV3 and TLSv1 have been deprecated, there's a good reason and you should seriously think to update your tools.
Regards, Flo
On Tue, Dec 4, 2018 at 3:18 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
well, it says this on the first line of the website: "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code."
i just want to add TLS functionality to client browsers which dont have it. i only need stunnel to decrypt TLS traffic going back to the browser.
On 12/4/18, Flo Rance <trourance@gmail.com> wrote:
Sorry I didn't read it correctly. I don't think this is something stunnel can handle.
Regards, Flo
On Mon, Dec 3, 2018 at 9:31 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
thank you for the reply, its the address and port where privoxy listens for requests. from the config file: "# 4.1. listen-address # ==================== # # Specifies: # # The IP address and TCP port on which Privoxy will listen for # client requests." and under it:
listen-address 127.0.0.1:8118
On 12/3/18, Flo Rance <trourance@gmail.com> wrote:
Hi,
It's not clear in your description what is running on 8118 local port.
Regards, Flo
On Mon, Dec 3, 2018 at 2:40 PM kovacs janos < kovacsjanosfasz@gmail.com> wrote:
sorry to bother, im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy. the browser is configured to send to: 127.0.0.1 443
stunnel config has this at the end: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = 127.0.0.1:8118 verifyChain = yes CAfile = ca-certs.pem checkHost = localhost
127.0.0.1:8118 is the privoxy address. this is what stunnel writes: LOG5[main]: Configuration successful LOG5[0]: Service [Tunnel_in] accepted connection from 127.0.0.1:3261 LOG5[0]: s_connect: connected 127.0.0.1:8118 LOG5[0]: Service [Tunnel_in] connected remote server from 127.0.0.1:3262
and the browser infinitely loads, and never loads anything or leaves the page. if i remove the last 3 lines, its the same just with this line added: LOG4[main]: Service [Tunnel_in] needs authentication to prevent MITM attacks
but it doesnt give an error or anything.
with a configuration like: [Tunnel_out] client = no accept = 127.0.0.1:443 connect = 127.0.0.1:8118 cert = stunnel.pem
this is what it gives: LOG5[3]: Service [Tunnel_out] accepted connection from 127.0.0.1:3294 LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
and browser gives a server not found error immediately. im not even sure if i should use client or server configuration in a case like this, but none of them works anyway. all i would need is for my browser to get the pages decrypted, or at least in less than TLS1.1. like how on newipnow.com i can access sites with any encryption, since they are sent to the browser without encryption. the browser just gives an "unencrypted tunnel" warning, which is how i found stunnel, and which is exactly what i need, just locally. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hello,
im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy.
If by "forward to the current site address dynamically" you meant "forward to the current address of one specific domain" then stunnel can achieve that by adding "delay = yes". However, if I understood correctly, you wanted to let stunnel strip or remove SSL for whatever sites you visit. Then no, I don't think you can achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS. events {} http { server { resolver 9.9.9.9; listen 80; location / { proxy_pass https://$host$request_uri; proxy_set_header Host $http_host; } }} You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy. That won't strip third-party HTTPS:// URL resources like NewIPNow does, but you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those. --Zizhong
well, what i meant is forwarding to the current address the browser connects to, so basically browsing through stunnel. is it really that complicated to achieve that? if i configure stunnel as a client, and make the browser send traffic to the accept address, shouldnt stunnel encrypt the traffic with TLS and send forward to the connect address? if thats true, shouldnt it also decrypt returning traffic and send back to the browser? when i configured stunnel as both client and server on the same computer, it worked, but the browser still gave 'ssl_error_no_cypher_overlap' errors. probably because the server side decrypted it again before it reached the website's server? i dont necessarily need it to strip encryption, just use anything below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit sites that would otherwise give cypher error, and they stay as https On 12/4/18, Zizhong Zhang <zizazit@protonmail.com> wrote:
Hello,
im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy.
If by "forward to the current site address dynamically" you meant "forward to the current address of one specific domain" then stunnel can achieve that by adding "delay = yes".
However, if I understood correctly, you wanted to let stunnel strip or remove SSL for whatever sites you visit. Then no, I don't think you can achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS.
events {} http { server { resolver 9.9.9.9; listen 80; location / { proxy_pass https://$host$request_uri; proxy_set_header Host $http_host; } }}
You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy.
That won't strip third-party HTTPS:// URL resources like NewIPNow does, but you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those.
--Zizhong
I would recommend to use squid which is able to do SSL bump. https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit Therefore, you'll be able to connect with TLS1.0 to squid and the proxy will establish a TLSv1.2 to the final destination. Regards, Flo On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
well, what i meant is forwarding to the current address the browser connects to, so basically browsing through stunnel.
is it really that complicated to achieve that? if i configure stunnel as a client, and make the browser send traffic to the accept address, shouldnt stunnel encrypt the traffic with TLS and send forward to the connect address? if thats true, shouldnt it also decrypt returning traffic and send back to the browser? when i configured stunnel as both client and server on the same computer, it worked, but the browser still gave 'ssl_error_no_cypher_overlap' errors. probably because the server side decrypted it again before it reached the website's server?
i dont necessarily need it to strip encryption, just use anything below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit sites that would otherwise give cypher error, and they stay as https
On 12/4/18, Zizhong Zhang <zizazit@protonmail.com> wrote:
Hello,
im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy.
If by "forward to the current site address dynamically" you meant "forward to the current address of one specific domain" then stunnel can achieve that by adding "delay = yes".
However, if I understood correctly, you wanted to let stunnel strip or remove SSL for whatever sites you visit. Then no, I don't think you can achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS.
events {} http { server { resolver 9.9.9.9; listen 80; location / { proxy_pass https://$host$request_uri; proxy_set_header Host $http_host; } }}
You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy.
That won't strip third-party HTTPS:// URL resources like NewIPNow does, but you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those.
--Zizhong
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
thank you for suggestions, but can someone tell me in what cases stunnel can be used? i can connect to http websites through it, but https doesnt work, even if it would otherwise do. i try to connect to 'https://via.hypothes.is/' like this, which i can access in browser without any proxy: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = via.hypothes.is:443 i get these logs: LOG5[1]: Service [Tunnel_in] accepted connection from 127.0.0.1:1788 LOG5[1]: s_connect: connected 104.20.214.15:443 LOG5[1]: Service [Tunnel_in] connected remote server from 192.168.0.3:1789 LOG5[1]: Connection closed: 197 byte(s) sent to TLS, 332 byte(s) sent to socket and the browser just shows a 'server not found' error. with http sites its the same logs except the IP and bytes, and it loads in the browser. On 12/5/18, Flo Rance <trourance@gmail.com> wrote:
I would recommend to use squid which is able to do SSL bump.
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
Therefore, you'll be able to connect with TLS1.0 to squid and the proxy will establish a TLSv1.2 to the final destination.
Regards, Flo
On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
well, what i meant is forwarding to the current address the browser connects to, so basically browsing through stunnel.
is it really that complicated to achieve that? if i configure stunnel as a client, and make the browser send traffic to the accept address, shouldnt stunnel encrypt the traffic with TLS and send forward to the connect address? if thats true, shouldnt it also decrypt returning traffic and send back to the browser? when i configured stunnel as both client and server on the same computer, it worked, but the browser still gave 'ssl_error_no_cypher_overlap' errors. probably because the server side decrypted it again before it reached the website's server?
i dont necessarily need it to strip encryption, just use anything below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit sites that would otherwise give cypher error, and they stay as https
On 12/4/18, Zizhong Zhang <zizazit@protonmail.com> wrote:
Hello,
im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy.
If by "forward to the current site address dynamically" you meant "forward to the current address of one specific domain" then stunnel can achieve that by adding "delay = yes".
However, if I understood correctly, you wanted to let stunnel strip or remove SSL for whatever sites you visit. Then no, I don't think you can achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS.
events {} http { server { resolver 9.9.9.9; listen 80; location / { proxy_pass https://$host$request_uri; proxy_set_header Host $http_host; } }}
You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy.
That won't strip third-party HTTPS:// URL resources like NewIPNow does, but you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those.
--Zizhong
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
now im really not sure, since the wikipedia page on stunnel also describes the program doing exactly what i need in the Example scenario section: https://en.wikipedia.org/wiki/Stunnel#Example_scenario "Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic and forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client. " only difference is, i need it to forward "unsecured traffic" to my browser client, not a server. are you all sure its really not possible? On 12/5/18, kovacs janos <kovacsjanosfasz@gmail.com> wrote:
thank you for suggestions, but can someone tell me in what cases stunnel can be used? i can connect to http websites through it, but https doesnt work, even if it would otherwise do. i try to connect to 'https://via.hypothes.is/' like this, which i can access in browser without any proxy: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = via.hypothes.is:443
i get these logs: LOG5[1]: Service [Tunnel_in] accepted connection from 127.0.0.1:1788 LOG5[1]: s_connect: connected 104.20.214.15:443 LOG5[1]: Service [Tunnel_in] connected remote server from 192.168.0.3:1789 LOG5[1]: Connection closed: 197 byte(s) sent to TLS, 332 byte(s) sent to socket
and the browser just shows a 'server not found' error. with http sites its the same logs except the IP and bytes, and it loads in the browser.
On 12/5/18, Flo Rance <trourance@gmail.com> wrote:
I would recommend to use squid which is able to do SSL bump.
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
Therefore, you'll be able to connect with TLS1.0 to squid and the proxy will establish a TLSv1.2 to the final destination.
Regards, Flo
On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <kovacsjanosfasz@gmail.com> wrote:
well, what i meant is forwarding to the current address the browser connects to, so basically browsing through stunnel.
is it really that complicated to achieve that? if i configure stunnel as a client, and make the browser send traffic to the accept address, shouldnt stunnel encrypt the traffic with TLS and send forward to the connect address? if thats true, shouldnt it also decrypt returning traffic and send back to the browser? when i configured stunnel as both client and server on the same computer, it worked, but the browser still gave 'ssl_error_no_cypher_overlap' errors. probably because the server side decrypted it again before it reached the website's server?
i dont necessarily need it to strip encryption, just use anything below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit sites that would otherwise give cypher error, and they stay as https
On 12/4/18, Zizhong Zhang <zizazit@protonmail.com> wrote:
Hello,
im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy.
If by "forward to the current site address dynamically" you meant "forward to the current address of one specific domain" then stunnel can achieve that by adding "delay = yes".
However, if I understood correctly, you wanted to let stunnel strip or remove SSL for whatever sites you visit. Then no, I don't think you can achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS.
events {} http { server { resolver 9.9.9.9; listen 80; location / { proxy_pass https://$host$request_uri; proxy_set_header Host $http_host; } }}
You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy.
That won't strip third-party HTTPS:// URL resources like NewIPNow does, but you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those.
--Zizhong
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
----- Original Message ----- From: "kovacs janos" <kovacsjanosfasz@gmail.com> To: "Flo Rance" <trourance@gmail.com> Cc: <stunnel-users@stunnel.org> Sent: Friday, December 07, 2018 2:30 AM Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
now im really not sure, since the wikipedia page on stunnel also describes the program doing exactly what i need in the Example scenario section: https://en.wikipedia.org/wiki/Stunnel#Example_scenario
"Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic and forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client. "
only difference is, i need it to forward "unsecured traffic" to my browser client, not a server. are you all sure its really not possible?
It is possible with the same limitiations as with server case. In case of server, there is one server, which accepts incoming connections (unencrypted) and stunnel accepts unencrypted connections for that (one) server and decrypts and forwards them. There is only one server, which gets connected by stunnel. In case of client (browser), for each remote (https) server to be connected to, stunnnel config file will need an entry; in browser it will not be possible to use DNS names (all servers will have to be addressed as 127.0.0.1:someport where "someport", is port assigned in stunnel conf server entry accept statement), so most links in webpages will not work. It may be feasible for small number of servers, which does not links any external resources.
if stunnel can only accept from and forward to one address, cant that be went around by setting a dynamic address proxy on both sides of stunnel? like: proxy - stunnel - proxy although i havent been able to connect to even a single website, but i didnt try with specifically the IP On 12/7/18, yyy <yyy@yyy.id.lv> wrote:
----- Original Message ----- From: "kovacs janos" <kovacsjanosfasz@gmail.com> To: "Flo Rance" <trourance@gmail.com> Cc: <stunnel-users@stunnel.org> Sent: Friday, December 07, 2018 2:30 AM Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
now im really not sure, since the wikipedia page on stunnel also describes the program doing exactly what i need in the Example scenario section: https://en.wikipedia.org/wiki/Stunnel#Example_scenario
"Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic and forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client. "
only difference is, i need it to forward "unsecured traffic" to my browser client, not a server. are you all sure its really not possible?
It is possible with the same limitiations as with server case. In case of server, there is one server, which accepts incoming connections (unencrypted) and stunnel accepts unencrypted connections for that (one) server and decrypts and forwards them. There is only one server, which gets connected by stunnel.
In case of client (browser), for each remote (https) server to be connected to, stunnnel config file will need an entry; in browser it will not be possible to use DNS names (all servers will have to be addressed as 127.0.0.1:someport where "someport", is port assigned in stunnel conf server entry accept statement), so most links in webpages will not work. It may be feasible for small number of servers, which does not links any external resources.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
What do you mean by dynamic address proxy? On December 8, 2018 12:39:26 AM EET, kovacs janos <kovacsjanosfasz@gmail.com> wrote:
if stunnel can only accept from and forward to one address, cant that be went around by setting a dynamic address proxy on both sides of stunnel? like: proxy - stunnel - proxy
although i havent been able to connect to even a single website, but i didnt try with specifically the IP
On 12/7/18, yyy <yyy@yyy.id.lv> wrote:
----- Original Message ----- From: "kovacs janos" <kovacsjanosfasz@gmail.com> To: "Flo Rance" <trourance@gmail.com> Cc: <stunnel-users@stunnel.org> Sent: Friday, December 07, 2018 2:30 AM Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
now im really not sure, since the wikipedia page on stunnel also describes the program doing exactly what i need in the Example scenario section: https://en.wikipedia.org/wiki/Stunnel#Example_scenario
"Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic
and
forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client. "
only difference is, i need it to forward "unsecured traffic" to my browser client, not a server. are you all sure its really not possible?
It is possible with the same limitiations as with server case. In case of server, there is one server, which accepts incoming connections (unencrypted) and stunnel accepts unencrypted connections for that (one) server and decrypts and forwards them. There is only one server, which gets connected by stunnel.
In case of client (browser), for each remote (https) server to be connected to, stunnnel config file will need an entry; in browser it will not be possible to use DNS names (all servers will have to be addressed as 127.0.0.1:someport where "someport", is port assigned in stunnel conf server entry accept statement), so most links in webpages will not work. It may be feasible for small number of servers, which does not links any external resources.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
i mean a proxy that can work with the address of the actual website opened in the browser, not just specific addresses defined in the config file. at least i thought thats what you meant with this: "In case of client (browser), for each remote (https) server to be connected to, stunnnel config file will need an entry; in browser it will not be possible to use DNS names (all servers will have to be addressed as 127.0.0.1:someport where "someport", is port assigned in stunnel conf server entry accept statement), so most links in webpages will not work." if stunnel can only work with specified addresses, cant a proxy like privoxy be set up at both ends, and stunnel only has to accept and connect to the address of the proxies? On 12/9/18, Yyy <yyy@yyy.id.lv> wrote:
What do you mean by dynamic address proxy?
On December 8, 2018 12:39:26 AM EET, kovacs janos <kovacsjanosfasz@gmail.com> wrote:
if stunnel can only accept from and forward to one address, cant that be went around by setting a dynamic address proxy on both sides of stunnel? like: proxy - stunnel - proxy
although i havent been able to connect to even a single website, but i didnt try with specifically the IP
On 12/7/18, yyy <yyy@yyy.id.lv> wrote:
----- Original Message ----- From: "kovacs janos" <kovacsjanosfasz@gmail.com> To: "Flo Rance" <trourance@gmail.com> Cc: <stunnel-users@stunnel.org> Sent: Friday, December 07, 2018 2:30 AM Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
now im really not sure, since the wikipedia page on stunnel also describes the program doing exactly what i need in the Example scenario section: https://en.wikipedia.org/wiki/Stunnel#Example_scenario
"Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic
and
forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client. "
only difference is, i need it to forward "unsecured traffic" to my browser client, not a server. are you all sure its really not possible?
It is possible with the same limitiations as with server case. In case of server, there is one server, which accepts incoming connections (unencrypted) and stunnel accepts unencrypted connections for that (one) server and decrypts and forwards them. There is only one server, which gets connected by stunnel.
In case of client (browser), for each remote (https) server to be connected to, stunnnel config file will need an entry; in browser it will not be possible to use DNS names (all servers will have to be addressed as 127.0.0.1:someport where "someport", is port assigned in stunnel conf server entry accept statement), so most links in webpages will not work. It may be feasible for small number of servers, which does not links any external resources.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
How would connection between stunnel and server through proxy work? To verify servers identity, stunnel needs to receive and verify servers certificate and since servers address is defined in config file, anything that modifies traffic between stunnel and server will be seen as mitm and that will break connectivity. It might be possible to disable certificate verification, but in that case sslstrip would be better solution. (it would have the same security). On December 9, 2018 3:30:34 PM EET, kovacs janos <kovacsjanosfasz@gmail.com> wrote:
i mean a proxy that can work with the address of the actual website opened in the browser, not just specific addresses defined in the config file.
at least i thought thats what you meant with this: "In case of client (browser), for each remote (https) server to be connected to, stunnnel config file will need an entry; in browser it will not be possible to use DNS names (all servers will have to be addressed as 127.0.0.1:someport where "someport", is port assigned in stunnel conf server entry accept statement), so most links in webpages will not work."
if stunnel can only work with specified addresses, cant a proxy like privoxy be set up at both ends, and stunnel only has to accept and connect to the address of the proxies?
On 12/9/18, Yyy <yyy@yyy.id.lv> wrote:
What do you mean by dynamic address proxy?
On December 8, 2018 12:39:26 AM EET, kovacs janos <kovacsjanosfasz@gmail.com> wrote:
if stunnel can only accept from and forward to one address, cant that be went around by setting a dynamic address proxy on both sides of stunnel? like: proxy - stunnel - proxy
although i havent been able to connect to even a single website, but i didnt try with specifically the IP
On 12/7/18, yyy <yyy@yyy.id.lv> wrote:
----- Original Message ----- From: "kovacs janos" <kovacsjanosfasz@gmail.com> To: "Flo Rance" <trourance@gmail.com> Cc: <stunnel-users@stunnel.org> Sent: Friday, December 07, 2018 2:30 AM Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
now im really not sure, since the wikipedia page on stunnel also describes the program doing exactly what i need in the Example scenario section: https://en.wikipedia.org/wiki/Stunnel#Example_scenario
"Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic
and
forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client. "
only difference is, i need it to forward "unsecured traffic" to my browser client, not a server. are you all sure its really not possible?
It is possible with the same limitiations as with server case. In case of server, there is one server, which accepts incoming connections (unencrypted) and stunnel accepts unencrypted connections for that (one) server and decrypts and forwards them. There is only one server, which gets connected by stunnel.
In case of client (browser), for each remote (https) server to be connected to, stunnnel config file will need an entry; in browser it will not be possible to use DNS names (all servers will have to be addressed as 127.0.0.1:someport where "someport", is port assigned in stunnel conf server entry accept statement), so most links in webpages will not work. It may be feasible for small number of servers, which does not links any external resources.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
how can i disable verification though? at first i just want to see it work at all. in the howto page, it says this: " Stunnel has 3 methods for checking certificates, which are controlled by the verify option: * Do not Verify Certificates If no verify argument is given, then stunnel will ignore any certificates offered and will allow all connections. " there is no "verify" in the stunnel.conf file, and only the gmail service examples have verifyChain On 12/9/18, Yyy <yyy@yyy.id.lv> wrote:
How would connection between stunnel and server through proxy work? To verify servers identity, stunnel needs to receive and verify servers certificate and since servers address is defined in config file, anything that modifies traffic between stunnel and server will be seen as mitm and that will break connectivity. It might be possible to disable certificate verification, but in that case sslstrip would be better solution. (it would have the same security).
On December 9, 2018 3:30:34 PM EET, kovacs janos <kovacsjanosfasz@gmail.com> wrote:
i mean a proxy that can work with the address of the actual website opened in the browser, not just specific addresses defined in the config file.
at least i thought thats what you meant with this: "In case of client (browser), for each remote (https) server to be connected to, stunnnel config file will need an entry; in browser it will not be possible to use DNS names (all servers will have to be addressed as 127.0.0.1:someport where "someport", is port assigned in stunnel conf server entry accept statement), so most links in webpages will not work."
if stunnel can only work with specified addresses, cant a proxy like privoxy be set up at both ends, and stunnel only has to accept and connect to the address of the proxies?
On 12/9/18, Yyy <yyy@yyy.id.lv> wrote:
What do you mean by dynamic address proxy?
On December 8, 2018 12:39:26 AM EET, kovacs janos <kovacsjanosfasz@gmail.com> wrote:
if stunnel can only accept from and forward to one address, cant that be went around by setting a dynamic address proxy on both sides of stunnel? like: proxy - stunnel - proxy
although i havent been able to connect to even a single website, but i didnt try with specifically the IP
On 12/7/18, yyy <yyy@yyy.id.lv> wrote:
----- Original Message ----- From: "kovacs janos" <kovacsjanosfasz@gmail.com> To: "Flo Rance" <trourance@gmail.com> Cc: <stunnel-users@stunnel.org> Sent: Friday, December 07, 2018 2:30 AM Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
now im really not sure, since the wikipedia page on stunnel also describes the program doing exactly what i need in the Example scenario section: https://en.wikipedia.org/wiki/Stunnel#Example_scenario
"Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic
and
forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client. "
only difference is, i need it to forward "unsecured traffic" to my browser client, not a server. are you all sure its really not possible?
It is possible with the same limitiations as with server case. In case of server, there is one server, which accepts incoming connections (unencrypted) and stunnel accepts unencrypted connections for that (one) server and decrypts and forwards them. There is only one server, which gets connected by stunnel.
In case of client (browser), for each remote (https) server to be connected to, stunnnel config file will need an entry; in browser it will not be possible to use DNS names (all servers will have to be addressed as 127.0.0.1:someport where "someport", is port assigned in stunnel conf server entry accept statement), so most links in webpages will not work. It may be feasible for small number of servers, which does not links any external resources.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
anyways, here is an article about what i need: https://en.wikipedia.org/wiki/TLS_termination_proxy except it shouldnt pass the unencrypted data to a server but a browser. on the same page, stunnel is listed under "Servers capable of acting as a TLS/SSL termination proxy". i would be grateful if i could finally make this work On 12/9/18, kovacs janos <kovacsjanosfasz@gmail.com> wrote:
how can i disable verification though? at first i just want to see it work at all. in the howto page, it says this: " Stunnel has 3 methods for checking certificates, which are controlled by the verify option:
*
Do not Verify Certificates If no verify argument is given, then stunnel will ignore any certificates offered and will allow all connections. "
there is no "verify" in the stunnel.conf file, and only the gmail service examples have verifyChain
On 12/9/18, Yyy <yyy@yyy.id.lv> wrote:
How would connection between stunnel and server through proxy work? To verify servers identity, stunnel needs to receive and verify servers certificate and since servers address is defined in config file, anything that modifies traffic between stunnel and server will be seen as mitm and that will break connectivity. It might be possible to disable certificate verification, but in that case sslstrip would be better solution. (it would have the same security).
On December 9, 2018 3:30:34 PM EET, kovacs janos <kovacsjanosfasz@gmail.com> wrote:
i mean a proxy that can work with the address of the actual website opened in the browser, not just specific addresses defined in the config file.
at least i thought thats what you meant with this: "In case of client (browser), for each remote (https) server to be connected to, stunnnel config file will need an entry; in browser it will not be possible to use DNS names (all servers will have to be addressed as 127.0.0.1:someport where "someport", is port assigned in stunnel conf server entry accept statement), so most links in webpages will not work."
if stunnel can only work with specified addresses, cant a proxy like privoxy be set up at both ends, and stunnel only has to accept and connect to the address of the proxies?
On 12/9/18, Yyy <yyy@yyy.id.lv> wrote:
What do you mean by dynamic address proxy?
On December 8, 2018 12:39:26 AM EET, kovacs janos <kovacsjanosfasz@gmail.com> wrote:
if stunnel can only accept from and forward to one address, cant that be went around by setting a dynamic address proxy on both sides of stunnel? like: proxy - stunnel - proxy
although i havent been able to connect to even a single website, but i didnt try with specifically the IP
On 12/7/18, yyy <yyy@yyy.id.lv> wrote:
----- Original Message ----- From: "kovacs janos" <kovacsjanosfasz@gmail.com> To: "Flo Rance" <trourance@gmail.com> Cc: <stunnel-users@stunnel.org> Sent: Friday, December 07, 2018 2:30 AM Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
> now im really not sure, since the wikipedia page on stunnel also > describes the program doing exactly what i need in the Example > scenario section: > https://en.wikipedia.org/wiki/Stunnel#Example_scenario > > "Network traffic from the client initially passes over SSL to the > stunnel application, which transparently encrypts/decrypts traffic
and
> forwards unsecured traffic to port 25 locally. The mail server sees a > non-SSL mail client. " > > only difference is, i need it to forward "unsecured traffic" to my > browser client, not a server. are you all sure its really not > possible? > It is possible with the same limitiations as with server case. In case of server, there is one server, which accepts incoming connections (unencrypted) and stunnel accepts unencrypted connections for that (one) server and decrypts and forwards them. There is only one server, which gets connected by stunnel.
In case of client (browser), for each remote (https) server to be connected to, stunnnel config file will need an entry; in browser it will not be possible to use DNS names (all servers will have to be addressed as 127.0.0.1:someport where "someport", is port assigned in stunnel conf server entry accept statement), so most links in webpages will not work. It may be feasible for small number of servers, which does not links any external resources.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
It cannot be made to work. TLS termination proxy is type of reverse proxy, proxy behind browser is a forward proxy. Reverse proxy connects to 1 (or small set of) server, defined in proxy configuration, client cannot select destination server. Forward proxy connects to many servers, defined in client connection request. Stunnel does not read contents of request and can connect only to defined server(s). ----- Original Message ----- From: "kovacs janos" <kovacsjanosfasz@gmail.com> To: "Yyy" <yyy@yyy.id.lv> Cc: <stunnel-users@stunnel.org> Sent: Wednesday, December 12, 2018 5:56 PM Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
anyways, here is an article about what i need: https://en.wikipedia.org/wiki/TLS_termination_proxy
except it shouldnt pass the unencrypted data to a server but a browser. on the same page, stunnel is listed under "Servers capable of acting as a TLS/SSL termination proxy". i would be grateful if i could finally make this work
On 12/9/18, kovacs janos <kovacsjanosfasz@gmail.com> wrote:
how can i disable verification though? at first i just want to see it work at all. in the howto page, it says this: " Stunnel has 3 methods for checking certificates, which are controlled by the verify option:
*
Do not Verify Certificates If no verify argument is given, then stunnel will ignore any certificates offered and will allow all connections. "
there is no "verify" in the stunnel.conf file, and only the gmail service examples have verifyChain
okay, but thats why i configure stunnel to connect to the privoxy address "Reverse proxy connects to 1 (or small set of) server, defined in proxy configuration, client cannot select destination server." "Stunnel does not read contents of request and can connect only to defined server(s)." the one server would be privoxy, which connects to servers defined in the client connection request, which it does perfectly if used in itself. all stunnel would have to do is decrypt the traffic going to the browser On 12/13/18, yyy <yyy@yyy.id.lv> wrote:
It cannot be made to work. TLS termination proxy is type of reverse proxy, proxy behind browser is a forward proxy. Reverse proxy connects to 1 (or small set of) server, defined in proxy configuration, client cannot select destination server. Forward proxy connects to many servers, defined in client connection request. Stunnel does not read contents of request and can connect only to defined server(s).
----- Original Message ----- From: "kovacs janos" <kovacsjanosfasz@gmail.com> To: "Yyy" <yyy@yyy.id.lv> Cc: <stunnel-users@stunnel.org> Sent: Wednesday, December 12, 2018 5:56 PM Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
anyways, here is an article about what i need: https://en.wikipedia.org/wiki/TLS_termination_proxy
except it shouldnt pass the unencrypted data to a server but a browser. on the same page, stunnel is listed under "Servers capable of acting as a TLS/SSL termination proxy". i would be grateful if i could finally make this work
On 12/9/18, kovacs janos <kovacsjanosfasz@gmail.com> wrote:
how can i disable verification though? at first i just want to see it work at all. in the howto page, it says this: " Stunnel has 3 methods for checking certificates, which are controlled by the verify option:
*
Do not Verify Certificates If no verify argument is given, then stunnel will ignore any certificates offered and will allow all connections. "
there is no "verify" in the stunnel.conf file, and only the gmail service examples have verifyChain
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hi, You are getting around and around and you don't get it. Yes, stunnel, after all, is a proxy, as acts as an intermediate (end of proxy definition), but is not a proxy as you understand it. While all proxy servers act as a funnel (wide side accepts inbound connections and tight for outbound connections for EACH request), this is, accept any connection and reroute them based on the header requests, Stunnel is just a tube (one inbound and one outbound connection), a tunnel, better said to match its own name, this is, that only connects peer to peer with just one connection and ONLY, I repeat, ONLY, if that connection have already set up as a service, because stunnel doesn't read the headers to decide where to connect. I repeat: the service, telling where (ip:port) should accept connections and where (ip/host:port) should connect to, MUST be set up first in stunnel.conf (or whatever you named it). Even thought the connect variable for a service can have multiple destinations, it only connects to one of them in a randomly way. If, let's imagine, the above phrase could be the solution, THAT ISN'T, you would need to set up the whole domain names used in the world as connect options and, even though, as the connections are random, and can't choose one based on headers, as, as said above, it doesn't read them, you won't be able to connect to the desired destination. That is the reason Stunnel, isn't and can't be used as a regular proxy. In short, stunnel is to give TLS/SSL capabilities to non-secure aware (or old) programs; or to control the TLS/SSL aside the background program. You'll need to use a real proxy server. I hope this is crystal clear enough and helps anyone that comes to the list asking this (they are a few), why can't be used to their purposes. Regards :) P.S.: as a bonus, kind of off-topic, and even though doesn't explain all, but maybe could help some to understand how connections work with this OOOOLD video, even though it talks briefly about the proxy server: http://warriorsofthe.net/ http://warriorsofthe.net/movie.html (video language selection)
i understand, and thank you for the explanation, but as i said, i use a program called 'Privoxy', and that is where stunnel would connect after accepting browser requests. Privoxy's accept address is what is given for stunnel as the connect address. Privoxy is a proxy capable of forwarding the requests to the address opened in the browser, so all stunnel would have to do is encrypt and decrypt traffic between the browser and Privoxy. but when i try it, every connection is an endless load, stunnel icon is blue, and no logs are made in Privoxy On 12/13/18, Javier <jamilist.stn@gmx.es> wrote:
Hi,
You are getting around and around and you don't get it.
Yes, stunnel, after all, is a proxy, as acts as an intermediate (end of proxy definition), but is not a proxy as you understand it.
While all proxy servers act as a funnel (wide side accepts inbound connections and tight for outbound connections for EACH request), this is, accept any connection and reroute them based on the header requests, Stunnel is just a tube (one inbound and one outbound connection), a tunnel, better said to match its own name, this is, that only connects peer to peer with just one connection and ONLY, I repeat, ONLY, if that connection have already set up as a service, because stunnel doesn't read the headers to decide where to connect.
I repeat: the service, telling where (ip:port) should accept connections and where (ip/host:port) should connect to, MUST be set up first in stunnel.conf (or whatever you named it).
Even thought the connect variable for a service can have multiple destinations, it only connects to one of them in a randomly way.
If, let's imagine, the above phrase could be the solution, THAT ISN'T, you would need to set up the whole domain names used in the world as connect options and, even though, as the connections are random, and can't choose one based on headers, as, as said above, it doesn't read them, you won't be able to connect to the desired destination.
That is the reason Stunnel, isn't and can't be used as a regular proxy. In short, stunnel is to give TLS/SSL capabilities to non-secure aware (or old) programs; or to control the TLS/SSL aside the background program.
You'll need to use a real proxy server.
I hope this is crystal clear enough and helps anyone that comes to the list asking this (they are a few), why can't be used to their purposes.
Regards :)
P.S.: as a bonus, kind of off-topic, and even though doesn't explain all, but maybe could help some to understand how connections work with this OOOOLD video, even though it talks briefly about the proxy server: http://warriorsofthe.net/ http://warriorsofthe.net/movie.html (video language selection)
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Thu, 13 Dec 2018 21:03:27 +0100 kovacs janos <kovacsjanosfasz@gmail.com> wrote:
i understand, and thank you for the explanation, but as i said, i use a program called 'Privoxy', and that is where stunnel would connect after accepting browser requests. Privoxy's accept address is what is given for stunnel as the connect address. Privoxy is a proxy capable of forwarding the requests to the address opened in the browser, so all stunnel would have to do is encrypt and decrypt traffic between the browser and Privoxy. but when i try it, every connection is an endless load, stunnel icon is blue, and no logs are made in Privoxy
Hi, Because the proxy is to be told where to connect and receives a direct secure handshake. Even if privoxy could use the SNI to redirect the traffic, you will need to specify a service, in stunnel.conf, for every host you want to connect to, each one with a SNI. You face the same problem. And, aside this, why Stunnel in the middle? To secure LAN traffic in case is running in a second PC? Privoxy is useless with encrypted data, just transmits from origin to destination: https://www.privoxy.org/faq/misc.html#SSL Regards.
"Because the proxy is to be told where to connect and receives a direct secure handshake." is that necessary even if stunnel is told to not verify the connections? ''If no verify argument is given, then stunnel will ignore any certificates offered and will allow all connections.'' and i gave no verify anywhere. "Privoxy is useless with encrypted data" i tried it again but with all 'debug' levels set in privoxy, and its true that after a while, these errors are written: "Invalid request" 400 0 Error: Invalid header received from 127.0.0.1. Writing: HTTP/1.0 400 Invalid header received from client is this because of TLS encryption? does this mean privoxy cant even simply forward TLS requests? if so, can anyone tell me a proxy that can, and preferably doesnt do anything else? and works on windows? On 12/13/18, Javier <jamilist.stn@gmx.es> wrote:
On Thu, 13 Dec 2018 21:03:27 +0100 kovacs janos <kovacsjanosfasz@gmail.com> wrote:
i understand, and thank you for the explanation, but as i said, i use a program called 'Privoxy', and that is where stunnel would connect after accepting browser requests. Privoxy's accept address is what is given for stunnel as the connect address. Privoxy is a proxy capable of forwarding the requests to the address opened in the browser, so all stunnel would have to do is encrypt and decrypt traffic between the browser and Privoxy. but when i try it, every connection is an endless load, stunnel icon is blue, and no logs are made in Privoxy
Hi,
Because the proxy is to be told where to connect and receives a direct secure handshake.
Even if privoxy could use the SNI to redirect the traffic, you will need to specify a service, in stunnel.conf, for every host you want to connect to, each one with a SNI. You face the same problem.
And, aside this, why Stunnel in the middle? To secure LAN traffic in case is running in a second PC? Privoxy is useless with encrypted data, just transmits from origin to destination: https://www.privoxy.org/faq/misc.html#SSL
Regards. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Sat, 15 Dec 2018 21:54:33 +0100 kovacs janos <kovacsjanosfasz@gmail.com> wrote:
"Because the proxy is to be told where to connect and receives a direct secure handshake."
is that necessary even if stunnel is told to not verify the connections? ''If no verify argument is given, then stunnel will ignore any certificates offered and will allow all connections.'' and i gave no verify anywhere.
Hi, The verification has nothing to do with the connection, but with the verification by Stunnel of the received certificate, if it is set as client, from the server, or if it is running as a server, from the clients (cert or PSK). What I said above is that the proxy expects to be told where to connect, and instead receives a secure handshake, what doesn't understands. And as you found then..., with this quoted text below. Can't find the headers requesting it to connect wherever is needed.
"Privoxy is useless with encrypted data" i tried it again but with all 'debug' levels set in privoxy, and its true that after a while, these errors are written: "Invalid request" 400 0 Error: Invalid header received from 127.0.0.1. Writing: HTTP/1.0 400 Invalid header received from client
is this because of TLS encryption? does this mean privoxy cant even simply forward TLS requests?
Is not that it can't handle/fordward, is that it doesn't expect encrypted garbage. It expects and HTTP header telling where to connect. Can forward, but when it knows where to connect. As stunnel is not designed for this (is not an HTTP web browser), it doesn't send what the proxy needs. And, again, setup Stunnel to handle this kind of task (browsing through it, or redirect to a proxy) is unrealizable in any way. It hasn't made for this.
if so, can anyone tell me a proxy that can, and preferably doesnt do anything else? and works on windows?
Can't help with that, sorry. Regards.
On Sunday, December 16, 2018 12:35 AM, Javier <jamilist.stn@gmx.es> wrote:
On Sat, 15 Dec 2018 21:54:33 +0100 kovacs janos kovacsjanosfasz@gmail.com wrote:
if so, can anyone tell me a proxy that can, and preferably doesnt do anything else? and works on windows?
Can't help with that, sorry.
No you can't, because people in this thread, me included, had offered other solutions (i.e., nginx and squid) but they have been blatantly ignored. I don't think anyone can help if one has such a fixation on stunnel and privoxy.
sorry for that, but nginx and squid both dont work on my setup, and look too heavy for simply decrypting and forwarding. regarding privoxy, i have tried on other computers with new browsers to connect to TLS 1.1 - TLS 1.2 only sites through privoxy, with no stunnel, and it worked. (for example: https://www.deviantart.com/ if someone wants to see) i also set 'accept-intercepted-requests 1' in config, but that didnt work either. does this mean stunnel encrypts requests differently than browsers? or the connection between browser and proxy is different than stunnel and proxy? i dont understand, and im sorry for bothering people On 12/16/18, Zizhong Zhang <zizazit@protonmail.com> wrote:
On Sunday, December 16, 2018 12:35 AM, Javier <jamilist.stn@gmx.es> wrote:
On Sat, 15 Dec 2018 21:54:33 +0100 kovacs janos kovacsjanosfasz@gmail.com wrote:
if so, can anyone tell me a proxy that can, and preferably doesnt do anything else? and works on windows?
Can't help with that, sorry.
No you can't, because people in this thread, me included, had offered other solutions (i.e., nginx and squid) but they have been blatantly ignored.
I don't think anyone can help if one has such a fixation on stunnel and privoxy. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Tue, 2018-12-18 17:49:16 +0100, kovacs janos wrote:
[..]
does this mean stunnel encrypts requests differently than browsers? or the connection between browser and proxy is different than stunnel and proxy?
Janos, Making HTTPS from HTTP is a bit more than just encrypting/decrypting. To make this work, you have to re-write HTTP headers and links in the HTTP body before encrypting and after decrypting. As these are part of the TCP payload, you have to follow, parse and modify the data streams exchanged between client and server, in addition to encryption. HTH, Ludolf -- Ludolf Holzheid Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany Tel: +49 621 33996-0 Fax: +49 621 3392239 mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796
so stunnel doesnt rewrite the headers besides the encryption? does that mean only stunnel can receive traffic forwarded by itself, and can only work if both ends of the tunnel are defined and connected? On 12/18/18, Ludolf Holzheid <lholzheid@bihl-wiedemann.de> wrote:
On Tue, 2018-12-18 17:49:16 +0100, kovacs janos wrote:
[..]
does this mean stunnel encrypts requests differently than browsers? or the connection between browser and proxy is different than stunnel and proxy?
Janos,
Making HTTPS from HTTP is a bit more than just encrypting/decrypting. To make this work, you have to re-write HTTP headers and links in the HTTP body before encrypting and after decrypting. As these are part of the TCP payload, you have to follow, parse and modify the data streams exchanged between client and server, in addition to encryption.
HTH,
Ludolf
--
Ludolf Holzheid
Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany
Tel: +49 621 33996-0 Fax: +49 621 3392239
mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de
Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Wed, 2018-12-19 16:13:25 +0100, kovacs janos wrote:
so stunnel doesnt rewrite the headers besides the encryption?
Yes.
does that mean only stunnel can receive traffic forwarded by itself,
There are other protocols than HTTP, without the need for re-writing contents while encrypting/decrypting, such as e.g. POP3. The peculiarity of HTTP is, it thrives on the links from one resource to another. If you change the way the resources are retrieved, you have to change their addresses in both, the request you send to the server and the the document you present to the client.
and can only work if both ends of the tunnel are defined and connected?
This depends on the terminology. If 'the tunnel' is the section of the path where the data is encrypted, then yes, both ends of the tunnel must be defined. If 'stunnel works' means actual data flow, then yes, there obviously must be a connection between the tunnel ends. A stunnel process is listening on a configured TCP port for connection requests and, depending on the configuration, may accept any client that reaches the stunnel process. If 'the tunnel' includes the path from the client to the stunnel process, then no, the client end of the tunnel is not defined beforehand. If a client is accepted, the stunnel process sets up a connection to the configured server (which may be, but does not have to be, a second stunnel process). If 'stunnel works' means the stunnel process is up and waiting for connection requests, then no, there is no need for a connection for stunnel to work. Ludolf -- Ludolf Holzheid Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany Tel: +49 621 33996-0 Fax: +49 621 3392239 mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796
what i mean by stunnel working, is the connection between the browser and requested server working through stunnel. but if that is true, then the traffic forwarded by stunnel can only be received by stunnel, and nothing can be between the two ends at all, or it will always give an error. On 12/19/18, Ludolf Holzheid <lholzheid@bihl-wiedemann.de> wrote:
On Wed, 2018-12-19 16:13:25 +0100, kovacs janos wrote:
so stunnel doesnt rewrite the headers besides the encryption?
Yes.
does that mean only stunnel can receive traffic forwarded by itself,
There are other protocols than HTTP, without the need for re-writing contents while encrypting/decrypting, such as e.g. POP3.
The peculiarity of HTTP is, it thrives on the links from one resource to another. If you change the way the resources are retrieved, you have to change their addresses in both, the request you send to the server and the the document you present to the client.
and can only work if both ends of the tunnel are defined and connected?
This depends on the terminology.
If 'the tunnel' is the section of the path where the data is encrypted, then yes, both ends of the tunnel must be defined.
If 'stunnel works' means actual data flow, then yes, there obviously must be a connection between the tunnel ends.
A stunnel process is listening on a configured TCP port for connection requests and, depending on the configuration, may accept any client that reaches the stunnel process. If 'the tunnel' includes the path from the client to the stunnel process, then no, the client end of the tunnel is not defined beforehand.
If a client is accepted, the stunnel process sets up a connection to the configured server (which may be, but does not have to be, a second stunnel process). If 'stunnel works' means the stunnel process is up and waiting for connection requests, then no, there is no need for a connection for stunnel to work.
Ludolf
--
Ludolf Holzheid
Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany
Tel: +49 621 33996-0 Fax: +49 621 3392239
mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de
Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Thu, Dec 20, 2018 at 04:05:06AM +0100, kovacs janos wrote: [format recovered; top-posting considered harmful]
On 12/19/18, Ludolf Holzheid <lholzheid@bihl-wiedemann.de> wrote:
On Wed, 2018-12-19 16:13:25 +0100, kovacs janos wrote:
so stunnel doesnt rewrite the headers besides the encryption?
Yes.
does that mean only stunnel can receive traffic forwarded by itself,
There are other protocols than HTTP, without the need for re-writing contents while encrypting/decrypting, such as e.g. POP3.
The peculiarity of HTTP is, it thrives on the links from one resource to another. If you change the way the resources are retrieved, you have to change their addresses in both, the request you send to the server and the the document you present to the client.
and can only work if both ends of the tunnel are defined and connected?
This depends on the terminology.
If 'the tunnel' is the section of the path where the data is encrypted, then yes, both ends of the tunnel must be defined.
If 'stunnel works' means actual data flow, then yes, there obviously must be a connection between the tunnel ends.
A stunnel process is listening on a configured TCP port for connection requests and, depending on the configuration, may accept any client that reaches the stunnel process. If 'the tunnel' includes the path from the client to the stunnel process, then no, the client end of the tunnel is not defined beforehand.
If a client is accepted, the stunnel process sets up a connection to the configured server (which may be, but does not have to be, a second stunnel process). If 'stunnel works' means the stunnel process is up and waiting for connection requests, then no, there is no need for a connection for stunnel to work.
what i mean by stunnel working, is the connection between the browser and requested server working through stunnel. but if that is true, then the traffic forwarded by stunnel can only be received by stunnel, and nothing can be between the two ends at all, or it will always give an error.
The connection between a browser and stunnel will work just fine if stunnel is working in server mode in front of a single server with a well-known set of hostnames - then stunnel may be configured to accept TLS/SSL connections from browsers, provide the certificates for the hostname that the client (the browser) requests, and forward the connection to the server. It might also be possible to get stunnel to work in client mode for a single server or a few servers with well-known hostnames and addresses: then stunnel will accept a non-encrypted connection from the browser, establish a TLS/SSL connection to the server (or servers), encrypt the browser's traffic, and decrypt the server's response. What is not so easy (and I am not sure it can even be done in general) is to have stunnel work with an *unknown* set of servers, and that's basically what you want. Stunnel is just not written for that purpose - it is written to make it easy to convert existing services with a well-known configuration to use encrypted connections. Also, please note that the Internet is not the same as the World-Wide Web - as others have pointed out, stunnel may be used not just with a web browser as a client or with a web server in what in something like reverse-proxy mode, but also with TLS/SSL versions of IMAP, POP3, SMTP, and many other protocols, both well-known and custom-made for some application. The common factor, though, is that it either works as a TLS/SSL server with a well-known set of hostnames to respond for, or a TLS/SSL client with a well-known set of hostnames to connect to. You are trying to use it for something that it was not designed for. Hope that helps! G'luck, Peter -- Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
thank you for the explanation, but if a proxy cant read the traffic encrypted by stunnel, that means even if the set of possible hostnames are given, the destination server could not read the request unless there is another stunnel in front of the server which can receive and decrypt the request. which i obviously dont have access to On 12/20/18, Peter Pentchev <roam@ringlet.net> wrote:
On Thu, Dec 20, 2018 at 04:05:06AM +0100, kovacs janos wrote: [format recovered; top-posting considered harmful]
On 12/19/18, Ludolf Holzheid <lholzheid@bihl-wiedemann.de> wrote:
On Wed, 2018-12-19 16:13:25 +0100, kovacs janos wrote:
so stunnel doesnt rewrite the headers besides the encryption?
Yes.
does that mean only stunnel can receive traffic forwarded by itself,
There are other protocols than HTTP, without the need for re-writing contents while encrypting/decrypting, such as e.g. POP3.
The peculiarity of HTTP is, it thrives on the links from one resource to another. If you change the way the resources are retrieved, you have to change their addresses in both, the request you send to the server and the the document you present to the client.
and can only work if both ends of the tunnel are defined and connected?
This depends on the terminology.
If 'the tunnel' is the section of the path where the data is encrypted, then yes, both ends of the tunnel must be defined.
If 'stunnel works' means actual data flow, then yes, there obviously must be a connection between the tunnel ends.
A stunnel process is listening on a configured TCP port for connection requests and, depending on the configuration, may accept any client that reaches the stunnel process. If 'the tunnel' includes the path from the client to the stunnel process, then no, the client end of the tunnel is not defined beforehand.
If a client is accepted, the stunnel process sets up a connection to the configured server (which may be, but does not have to be, a second stunnel process). If 'stunnel works' means the stunnel process is up and waiting for connection requests, then no, there is no need for a connection for stunnel to work.
what i mean by stunnel working, is the connection between the browser and requested server working through stunnel. but if that is true, then the traffic forwarded by stunnel can only be received by stunnel, and nothing can be between the two ends at all, or it will always give an error.
The connection between a browser and stunnel will work just fine if stunnel is working in server mode in front of a single server with a well-known set of hostnames - then stunnel may be configured to accept TLS/SSL connections from browsers, provide the certificates for the hostname that the client (the browser) requests, and forward the connection to the server.
It might also be possible to get stunnel to work in client mode for a single server or a few servers with well-known hostnames and addresses: then stunnel will accept a non-encrypted connection from the browser, establish a TLS/SSL connection to the server (or servers), encrypt the browser's traffic, and decrypt the server's response.
What is not so easy (and I am not sure it can even be done in general) is to have stunnel work with an *unknown* set of servers, and that's basically what you want. Stunnel is just not written for that purpose - it is written to make it easy to convert existing services with a well-known configuration to use encrypted connections.
Also, please note that the Internet is not the same as the World-Wide Web - as others have pointed out, stunnel may be used not just with a web browser as a client or with a web server in what in something like reverse-proxy mode, but also with TLS/SSL versions of IMAP, POP3, SMTP, and many other protocols, both well-known and custom-made for some application. The common factor, though, is that it either works as a TLS/SSL server with a well-known set of hostnames to respond for, or a TLS/SSL client with a well-known set of hostnames to connect to. You are trying to use it for something that it was not designed for.
Hope that helps!
G'luck, Peter
-- Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
On Thu, 20 Dec 2018 14:18:10 +0100 kovacs janos <kovacsjanosfasz@gmail.com> wrote:
thank you for the explanation, but if a proxy cant read the traffic encrypted by stunnel, that means even if the set of possible hostnames are given, the destination server could not read the request unless there is another stunnel in front of the server which can receive and decrypt the request. which i obviously dont have access to
Hi, O_o Really, where did you understand that???!!! Stunnel is a program to give encryption capabilities to programs that can't establish secure connections. That doesn't mean that at both ends there should be a Stunnel instance running!!!!! As long as both ends have the same ciphers, that is what the handshake is for, to negotiate the security of connection, it doesn't matter what program handles the secure connection at the end point. And, again, the proxy can't handle the connection because it doesn't receive what expects: an HTTP header to tell where to redirect the data. And that isn't provided by Stunnel. Let's see if with a "sketch" you understand it. 1. As client mode, Stunnel listen to 127.0.0.1 port 1256 and connects to somehots:565 (totally invented destination host and port to avoid you any further confusion) 2. Program sends text-plain to 127.0.0.1:1256 3. Stunnel takes it and connects to destination 4. After a handshake with secure connection parameters, encrypts that data and sends to destination 5. Any dialog between destination and Stunnel would be encrypted after this. 6. Responses from destination would be decrypted and send them back in text plain to the program that requested Stunnel to connect. 7. Repeat, except handshake, until there is no need of the connection by the initiating program. It doesn't do anything else. And it is almost the opposite when running as server. Did you understand it? The proxy server is expecting an HTTP header and Stunnel doesn't provide it. End of story. Regards.
okay, so that means i should be able to connect to a website's server with only stunnel, and only its client side, even if i have to specify the destination IP of the server? i tried that and didnt seem to work either. i wrote the website's IP address after 'connect', tried to open the website in browser, and it wasnt working. but maybe i just did something wrong, thank you for the explanation though On 12/20/18, Javier <jamilist.stn@gmx.es> wrote:
On Thu, 20 Dec 2018 14:18:10 +0100 kovacs janos <kovacsjanosfasz@gmail.com> wrote:
thank you for the explanation, but if a proxy cant read the traffic encrypted by stunnel, that means even if the set of possible hostnames are given, the destination server could not read the request unless there is another stunnel in front of the server which can receive and decrypt the request. which i obviously dont have access to
Hi,
O_o
Really, where did you understand that???!!!
Stunnel is a program to give encryption capabilities to programs that can't establish secure connections. That doesn't mean that at both ends there should be a Stunnel instance running!!!!!
As long as both ends have the same ciphers, that is what the handshake is for, to negotiate the security of connection, it doesn't matter what program handles the secure connection at the end point.
And, again, the proxy can't handle the connection because it doesn't receive what expects: an HTTP header to tell where to redirect the data. And that isn't provided by Stunnel.
Let's see if with a "sketch" you understand it.
1. As client mode, Stunnel listen to 127.0.0.1 port 1256 and connects to somehots:565 (totally invented destination host and port to avoid you any further confusion)
2. Program sends text-plain to 127.0.0.1:1256
3. Stunnel takes it and connects to destination
4. After a handshake with secure connection parameters, encrypts that data and sends to destination
5. Any dialog between destination and Stunnel would be encrypted after this.
6. Responses from destination would be decrypted and send them back in text plain to the program that requested Stunnel to connect.
7. Repeat, except handshake, until there is no need of the connection by the initiating program.
It doesn't do anything else. And it is almost the opposite when running as server.
Did you understand it?
The proxy server is expecting an HTTP header and Stunnel doesn't provide it. End of story.
Regards. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Fri, 21 Dec 2018 00:01:08 +0100 kovacs janos <kovacsjanosfasz@gmail.com> wrote:
okay, so that means i should be able to connect to a website's server with only stunnel, and only its client side, even if i have to specify the destination IP of the server? i tried that and didnt seem to work either. i wrote the website's IP address after 'connect', tried to open the website in browser, and it wasnt working. but maybe i just did something wrong, thank you for the explanation though
Hi, Stunnel is not for web browsing through it. We already gave you reasons and explanations why that won't work. Read them again. Regards.
On Fri, Dec 21, 2018 at 02:46:29AM +0100, Javier wrote:
On Fri, 21 Dec 2018 00:01:08 +0100 kovacs janos <kovacsjanosfasz@gmail.com> wrote:
okay, so that means i should be able to connect to a website's server with only stunnel, and only its client side, even if i have to specify the destination IP of the server? i tried that and didnt seem to work either. i wrote the website's IP address after 'connect', tried to open the website in browser, and it wasnt working. but maybe i just did something wrong, thank you for the explanation though
Hi,
Stunnel is not for web browsing through it.
We already gave you reasons and explanations why that won't work. Read them again.
Hm, there's no reason why stunnel would not work like that for a predetermined set of hosts with known addresses. I just set it up with a configuration section like this - but see below about me NOT recommending this way for servers that are not under your control: [fbsd-www] client = yes accept = 127.0.0.1:80 connect = 96.47.72.84:443 verifyChain = yes CApath = /etc/ssl/certs checkHost = wfe0.nyi.freebsd.org ...and I added "www.freebsd.org" to the list of hostnames for the 127.0.0.1 address in the system's hosts file (/etc/hosts on Unix-like operating systems, windows\System32\Drivers\etc\hosts on Windows). Then, when I ask for "http://www.freebsd.org/" (without HTTPS) in a browser or cURL or whatever, it gets the 127.0.0.1 address from the hosts file, connects to 127.0.0.1:80, then stunnel establishes a tunnel to the FreeBSD webserver's IP address, verifies its certificate, and lets the browser send its plaintext HTTP request there. Of course, as I noted in the previous message, this will only let browsers connect through stunnel to hosts that have previously been defined in the stunnel configuration and in the hosts file. Also, since the hosts file takes over the resolving of the host name to IP address, it is your responsibility now to check whether www.freebsd.org changed its IP address; it is also your responsibility now to check whether the Common Name of the actual server also changed (wfe0.nyi.freebsd.org in this case) - chasing down DNS CNAME records can be... interesting sometimes. All in all, I would have to say that I really do not recommend going down this road, especially for websites that are not under your control; this here was done merely as a proof of concept. G'luck, Peter -- Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
On Fri, 21 Dec 2018 13:58:35 +0200 Peter Pentchev <roam@ringlet.net> wrote:
Hm, there's no reason why stunnel would not work like that for a predetermined set of hosts with known addresses.
Hi, I'm just trying to avoid encouraging him on keep with his first idea of browsing through Stunnel, with, or without privoxy. Of course one site, one connection would work, if we forget about secondary issues and..., nevermind... I give up :D Regards.
it still doesnt seem to work. i tried it with deviantart.com again. configuration: client = yes accept = 127.0.0.1:80 connect = 52.85.220.247:443 verifyChain = yes CAfile = ca-certs.pem checkHost = *.deviantart.com the name after checkHost is the "Common Name" displayed when viewing the site's certificate in a browser(lock icon, view certificate). i also saved the certificate in case i would need to try the "certificate pinning" method. the connect IP is what 'get-site-ip.com' says the IP of the website is. these are the logs: Service [fbsd-www] accepted connection from 127.0.0.1:4121 s_connect: connected 52.85.220.247:443 Service [fbsd-www] connected remote server from 192.168.0.3:4122 SSL_connect: 14077410: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket i know i pestered everyone long enough, but i still havent been able to connect to anything. without any verification its the same On 12/21/18, Javier <jamilist.stn@gmx.es> wrote:
On Fri, 21 Dec 2018 13:58:35 +0200 Peter Pentchev <roam@ringlet.net> wrote:
Hm, there's no reason why stunnel would not work like that for a predetermined set of hosts with known addresses.
Hi,
I'm just trying to avoid encouraging him on keep with his first idea of browsing through Stunnel, with, or without privoxy.
Of course one site, one connection would work, if we forget about secondary issues and..., nevermind...
I give up :D
Regards.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Sun, Dec 30, 2018 at 03:36:56AM +0100, kovacs janos wrote:
it still doesnt seem to work. i tried it with deviantart.com again. configuration: client = yes accept = 127.0.0.1:80 connect = 52.85.220.247:443 verifyChain = yes CAfile = ca-certs.pem checkHost = *.deviantart.com
the name after checkHost is the "Common Name" displayed when viewing the site's certificate in a browser(lock icon, view certificate). i also saved the certificate in case i would need to try the "certificate pinning" method. the connect IP is what 'get-site-ip.com' says the IP of the website is.
these are the logs: Service [fbsd-www] accepted connection from 127.0.0.1:4121 s_connect: connected 52.85.220.247:443 Service [fbsd-www] connected remote server from 192.168.0.3:4122 SSL_connect: 14077410: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
i know i pestered everyone long enough, but i still havent been able to connect to anything. without any verification its the same
I'm sorry, my mistake. In a reply to somebody else on the list a couple of days later I mentioned that for HTTPS you may also need to set the "sni = www.deviantart.com" connection option so that stunnel tells the server "I'm trying to establish an HTTPS connection to this particular server", which, for HTTPS, may be important when multiple virtual hosts all live on the same IP address. I haven't tried it with stunnel, but I just tried to establish a TLS connection to the IP address you specified using "openssl s_client" and it failed, and then I tried to specify the "-servername www.deviantart.com" s_client option, and it worked. So try adding "sni = www.deviantart.com" to your stunnel configuration section and see if it helps. Sorry again, I should have thought about this from the start; I was misled by the fact that the FreeBSD webserver did not require the Server Name Indication extension to work, but apparently DeviantArt does. G'luck, Peter -- Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
Succeeding in Nursing Academia: The Critical Impact of Online Course Assistance on Academic Triumph Introduction: In the dynamic landscape of education, the demand for online courses has witnessed an unprecedented surge, especially in fields like nursing. The flexibility and accessibility offered by online learning platforms have made education more attainable for individuals balancing work, family, and other commitments nurs fpx 4050 assessment 2. However, the rigorous nature of nursing programs can pose challenges for students, leading many to seek assistance with their coursework. In this blog, we will explore the growing trend of students turning to online course help and paying someone to do their online classes, particularly in the realm of nursing paper writing services. The Rise of Online Nursing Education: The allure of online nursing education lies in its flexibility, allowing aspiring nurses to pursue their dreams without sacrificing their current commitments. With the increasing popularity of online nursing programs, students are presented with a unique set of challenges. Balancing clinical experiences, theoretical coursework, and other responsibilities can be overwhelming, prompting students to explore options for additional support. The Need for Academic Assistance: Nursing programs often require students to delve into complex topics, complete extensive research, and submit well-crafted papers. The pressure to excel in both practical and theoretical aspects of nursing education can be daunting, leading some students to seek online course help. The question then arises – is it ethical to pay someone to do my online class or assist with nursing paper writing services? Understanding the Ethical Dilemma: The ethical considerations surrounding seeking academic assistance are complex. On one hand, students argue that external support enables them to focus on practical experiences and hands-on learning. On the other hand, critics argue that outsourcing coursework undermines the integrity of education and the development of essential skills nurs-fpx 4060 assessment 1. Navigating the Online Course Help Landscape: For those considering online course help, it is crucial to approach the situation with caution and a clear understanding of the ethical implications. Many online platforms and services claim to provide assistance with nursing paper writing services, but it is essential to discern between legitimate support and services that may compromise academic integrity. Choosing Reputable Services: When seeking online course help for nursing paper writing services, it is imperative to choose reputable and ethical service providers. These services should prioritize academic honesty, transparency, and the development of students' critical thinking skills. Thoroughly researching and vetting potential service providers can help students make informed decisions. The Role of Academic Support Services: Rather than viewing online course help as a shortcut, students should consider these services as valuable supplements to their learning journey. Academic support services can offer guidance, feedback, and assistance in understanding complex nursing concepts. This collaborative approach allows students to enhance their skills while meeting the demands of their coursework chamberlain nurse executive track. Developing Essential Skills: While online course help can provide support, it is essential for students to actively engage with the material and develop the critical skills necessary for a successful nursing career. Ethical academic support services aim to empower students, encouraging them to take an active role in their education and fostering a sense of responsibility for their learning outcomes. Balancing Priorities: The decision to seek online course help should be accompanied by a realistic assessment of one's priorities and capabilities. Nursing students juggling multiple responsibilities may find that strategic use of academic support services can help them maintain a healthy work-life balance while excelling in their coursework. The Impact on Future Nursing Practice: Aspiring nurses must recognize that the skills and knowledge acquired during their education directly impact their ability to provide quality patient care in the future. While online course help can provide temporary relief, it is crucial for students to actively engage with the material and strive for a deep understanding of nursing concepts. Conclusion: The landscape of nursing education is evolving, with online courses offering unprecedented flexibility for students. As the demand for nursing professionals continues to grow, the need for academic support services, including nursing paper writing services, is likely to persist online class help. However, students must approach online course help with a balanced perspective, understanding the ethical considerations and prioritizing the development of essential skills. By navigating the online course help landscape responsibly, nursing students can enhance their learning experience and prepare for a successful and fulfilling career in healthcare.
participants (8)
-
Flo Rance -
Javier -
kovacs janos -
Ludolf Holzheid -
Peter Pentchev -
towim42830@artgulin.com -
yyy -
Zizhong Zhang