Re: [stunnel-users] older browsers, stunnel and privoxy (kovacs janos) - stunnel-users Digest, Vol 173, Issue 7
Hi Janos,
mail (SMTP / POP / IMAP) are other protocols as HTTPS. I was not able to connect via sTunnel to a server via HTTPS - and this was the reason to create and use my HTTPSProxy. HTTPSProxy is based on this code (local front- and rear proxy are connected directly without Proxomitron):
https://prxbx.com/forums/showthread.php?tid=2172 https://prxbx.com/forums/showthread.php?tid=2191&pid=19252#pid19252
You can build your own release with python if you do not trust the versions offered by me or HeinoGanda on MSFN.
Regards Thomas S.
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of stunnel-users-request@stunnel.org Sent: Friday, December 07, 2018 12:00 PM To: stunnel-users@stunnel.org Subject: stunnel-users Digest, Vol 173, Issue 7
Send stunnel-users mailing list submissions to stunnel-users@stunnel.org
To subscribe or unsubscribe via the World Wide Web, visit https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users or, via email, send a message with subject or body 'help' to stunnel-users-request@stunnel.org
You can reach the person managing the list at stunnel-users-owner@stunnel.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of stunnel-users digest..."
Today's Topics:
1. Re: older browsers, stunnel and privoxy (kovacs janos)
----------------------------------------------------------------------
Message: 1 Date: Fri, 7 Dec 2018 01:30:21 +0100 From: kovacs janos kovacsjanosfasz@gmail.com To: Flo Rance trourance@gmail.com Cc: zizazit@protonmail.com, stunnel-users@stunnel.org Subject: Re: [stunnel-users] older browsers, stunnel and privoxy Message-ID: CAOchpkp+5YDig_XpWPFVdP9zQ-L2UN10p8Wzsm9ggv2iuWpU8Q@mail.gmail.com Content-Type: text/plain; charset="UTF-8"
now im really not sure, since the wikipedia page on stunnel also describes the program doing exactly what i need in the Example scenario section: https://en.wikipedia.org/wiki/Stunnel#Example_scenario
"Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic and forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client. "
only difference is, i need it to forward "unsecured traffic" to my browser client, not a server. are you all sure its really not possible?
On 12/5/18, kovacs janos kovacsjanosfasz@gmail.com wrote:
thank you for suggestions, but can someone tell me in what cases stunnel can be used? i can connect to http websites through it, but https doesnt work, even if it would otherwise do. i try to connect to 'https://via.hypothes.is/' like this, which i can access in browser without any proxy: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = via.hypothes.is:443
i get these logs: LOG5[1]: Service [Tunnel_in] accepted connection from 127.0.0.1:1788 LOG5[1]: s_connect: connected 104.20.214.15:443 LOG5[1]: Service [Tunnel_in] connected remote server from 192.168.0.3:1789 LOG5[1]: Connection closed: 197 byte(s) sent to TLS, 332 byte(s) sent to socket
and the browser just shows a 'server not found' error. with http sites its the same logs except the IP and bytes, and it loads in the browser.
On 12/5/18, Flo Rance trourance@gmail.com wrote:
I would recommend to use squid which is able to do SSL bump.
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
Therefore, you'll be able to connect with TLS1.0 to squid and the proxy will establish a TLSv1.2 to the final destination.
Regards, Flo
On Tue, Dec 4, 2018 at 9:38 PM kovacs janos kovacsjanosfasz@gmail.com wrote:
well, what i meant is forwarding to the current address the browser connects to, so basically browsing through stunnel.
is it really that complicated to achieve that? if i configure stunnel as a client, and make the browser send traffic to the accept address, shouldnt stunnel encrypt the traffic with TLS and send forward to the connect address? if thats true, shouldnt it also decrypt returning traffic and send back to the browser? when i configured stunnel as both client and server on the same computer, it worked, but the browser still gave 'ssl_error_no_cypher_overlap' errors. probably because the server side decrypted it again before it reached the website's server?
i dont necessarily need it to strip encryption, just use anything below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit sites that would otherwise give cypher error, and they stay as https
On 12/4/18, Zizhong Zhang zizazit@protonmail.com wrote:
Hello,
im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy.
If by "forward to the current site address dynamically" you meant
"forward
to the current address of one specific domain" then stunnel can achieve
that
by adding "delay = yes".
However, if I understood correctly, you wanted to let stunnel strip or remove SSL for whatever sites you visit. Then no, I don't think you
can
achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS.
events {} http { server { resolver 9.9.9.9; listen 80; location / { proxy_pass https://$host$request_uri; proxy_set_header Host $http_host; } }}
You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy.
That won't strip third-party HTTPS:// URL resources like NewIPNow does,
but
you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML.
Also
there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those.
--Zizhong
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
------------------------------
Subject: Digest Footer
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
------------------------------
End of stunnel-users Digest, Vol 173, Issue 7 *********************************************
-
Thomas GMX