On Thu, Oct 19, 2017 at 08:58:17PM +0200, Thomas GMX wrote:

Hello.

I have successfully configured my email client (Outlook 2010) to my provider with TLS1.2 via stunnel running as a service. config:

[snip working secure POP3 and SMTP config]

That was no problem.

But at this point I am wondering if it is possible and how I can configure stunnel so that "all" https traffic from Internet Explorer is going through stunnel and connect to internet with highest secure level supported. Not only to one specific server (connect = xyz.net) but to all servers given in IE address.

By now I guess that I have to set IE so that it uses a https-proxy at "localhost:xxx" with stunnel config "accept = localhost:xxx". But how is stunnel config for "connect x.x.x.x:443" that it connect to the right server in internet I specified in IE address line?

Can someone give me a hint? Or impossible?

You can't really do that for two reasons. The first one is that stunnel does not support it :)

The second one is that there's no way to do it; that's not how the HTTPS protocol (or TLS itself) works. One of the two major goals of TLS is the certainty that you're talking to the right server (authentication) - that's what the whole trouble with certificates (and the whole paid certificate scam) is all about. The other goal is data encryption, but it is secondary for this discussion.

So let's talk about authentication. The main idea here is that the endpoint of the connection - your browser - talks directly to the other endpoint of the connection - the webserver, so that the browser can see the server's certificate, make sure that it is valid, make sure that it is issued by a trusted certificate authority, and make sure that it is actually issued to this server (by hostname). If you want to use stunnel to get "the highest secure level supported", you would need to have it (stunnel) establish the TLS connection to the server. So if you try to get your browser to establish an HTTPS connection to stunnel and then have stunnel establish a second, separate, HTTPS connection to the server, your browser will never see the TLS handshake of stunnel's connection to the server, so your browser cannot really be sure that stunnel (and, by extension, your browser) is talking to the correct server - and the whole point of TLS is rendered moot.

That's why HTTPS proxying is done in a different way: the browser connects to the proxy and tells it "CONNECT address:port"; the proxy verifies that the browser is allowed to go through it and then establishes a normal TCP connection to the remote host and forwards *everything* - it doesn't try to manage that connection in any way, it lets the browser talk directly to the server. (Yeah, yeah, I'm very much and very painfully aware of the whole deep packet inspection mess... let's not talk about it at all, mmkay?) In this case, of course, the TLS connection is fully managed by the browser and stunnel, even if it did support some kind of dynamic proxying, would not be able to choose encryption algorithms.

Hope that helps!

G'luck, Peter