From: Josealf.rm josealf@rocketmail.com Sent: Tuesday, November 7, 2017 10:41 AM To: Peter Pentchev Cc: Osvald Brko; stunnel-users@stunnel.org Subject: Re: [stunnel-users] Web browsing over stunnel
Osvald,
Peter made a very clear explanation. Note that your connect statement should be something like:
connect=104.239.213.7:443
And you should test using something like:
O.K., I understand it. www.stunnel.org still refuse connection (see below), but I was able to open www.wikipedia.org:
http://www.wikipedia.org:8888/
[https_test] client = yes accept = 127.0.0.1:8888 connect = 91.198.174.192:443
#127.0.0.1 localhost #127.0.0.1 www.stunnel.org 127.0.0.1 www.wikipedia.org
But of course I am not able to use any web link, and I can see only default main page without any path. So stunnel is completely unusable for web browsing, I am right?
O.B.
===== http://www.stunnel.org:8888/
[https_test] client = yes accept = 127.0.0.1:8888 connect = 207.192.69.165:443
#127.0.0.1 localhost 127.0.0.1 www.stunnel.org #127.0.0.1 www.wikipedia.org
2017.11.07 15:51:37 LOG7[main]: Service [https_test] (FD=260) bound to 127.0.0.1:8888 2017.11.07 15:51:37 LOG7[cron]: Cron thread initialized 2017.11.07 15:51:53 LOG7[main]: Found 1 ready file descriptor(s) 2017.11.07 15:51:53 LOG7[main]: FD=232 ifds=r-x ofds=--- 2017.11.07 15:51:53 LOG7[main]: FD=248 ifds=r-x ofds=--- 2017.11.07 15:51:53 LOG7[main]: Service [https_test] accepted (FD=300) from 127.0.0.1:3197 2017.11.07 15:51:53 LOG7[main]: Creating a new thread 2017.11.07 15:51:53 LOG7[main]: New thread created 2017.11.07 15:51:53 LOG7[0]: Service [https_test] started 2017.11.07 15:51:53 LOG7[0]: Option TCP_NODELAY set on local socket 2017.11.07 15:51:53 LOG5[0]: Service [https_test] accepted connection from 127.0.0.1:3197 2017.11.07 15:51:53 LOG6[0]: s_connect: connecting 207.192.69.165:443 2017.11.07 15:51:53 LOG7[0]: s_connect: s_poll_wait 207.192.69.165:443: waiting 10 seconds 2017.11.07 15:51:53 LOG5[0]: s_connect: connected 207.192.69.165:443 2017.11.07 15:51:53 LOG5[0]: Service [https_test] connected remote server from XX.XXX.XXX.XXX:3198 2017.11.07 15:51:53 LOG7[0]: Option TCP_NODELAY set on remote socket 2017.11.07 15:51:53 LOG7[0]: Remote descriptor (FD=320) initialized 2017.11.07 15:51:53 LOG6[0]: SNI: sending servername: 207.192.69.165 2017.11.07 15:51:53 LOG6[0]: Peer certificate not required 2017.11.07 15:51:53 LOG7[0]: TLS state (connect): before/connect initialization 2017.11.07 15:51:53 LOG7[0]: TLS state (connect): SSLv2/v3 write client hello A 2017.11.07 15:51:53 LOG7[0]: TLS state (connect): SSLv3 read server hello A 2017.11.07 15:51:53 LOG6[0]: Certificate verification disabled 2017.11.07 15:51:53 LOG6[0]: Certificate verification disabled 2017.11.07 15:51:53 LOG6[0]: Certificate verification disabled 2017.11.07 15:51:53 LOG6[0]: Certificate verification disabled 2017.11.07 15:51:53 LOG6[0]: Certificate verification disabled 2017.11.07 15:51:53 LOG7[0]: TLS state (connect): SSLv3 read server certificate A 2017.11.07 15:51:53 LOG7[0]: TLS state (connect): SSLv3 read server key exchange A 2017.11.07 15:51:53 LOG6[0]: Client certificate not requested 2017.11.07 15:51:53 LOG7[0]: TLS state (connect): SSLv3 read server done A 2017.11.07 15:51:53 LOG7[0]: TLS state (connect): SSLv3 write client key exchange A 2017.11.07 15:51:53 LOG7[0]: TLS state (connect): SSLv3 write change cipher spec A 2017.11.07 15:51:53 LOG7[0]: TLS state (connect): SSLv3 write finished A 2017.11.07 15:51:53 LOG7[0]: TLS state (connect): SSLv3 flush data 2017.11.07 15:51:53 LOG7[0]: TLS state (connect): SSLv3 read server session ticket A 2017.11.07 15:51:53 LOG7[0]: TLS state (connect): SSLv3 read finished A 2017.11.07 15:51:53 LOG7[0]: 1 client connect(s) requested 2017.11.07 15:51:53 LOG7[0]: 1 client connect(s) succeeded 2017.11.07 15:51:53 LOG7[0]: 0 client renegotiation(s) requested 2017.11.07 15:51:53 LOG7[0]: 0 session reuse(s) 2017.11.07 15:51:53 LOG6[0]: TLS connected: new session negotiated 2017.11.07 15:51:53 LOG7[0]: Peer certificate was cached (7519 bytes) 2017.11.07 15:51:53 LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2017.11.07 15:51:53 LOG7[0]: Compression: null, expansion: null 2017.11.07 15:51:58 LOG7[0]: TLS alert (read): warning: close notify 2017.11.07 15:51:58 LOG6[0]: TLS closed (SSL_read) 2017.11.07 15:51:58 LOG7[0]: Sent socket write shutdown 2017.11.07 15:51:59 LOG3[0]: readsocket: Connection reset by peer (WSAECONNRESET) (10054) 2017.11.07 15:51:59 LOG5[0]: Connection reset: 483 byte(s) sent to TLS, 429 byte(s) sent to socket 2017.11.07 15:51:59 LOG7[0]: Remote descriptor (FD=320) closed 2017.11.07 15:51:59 LOG7[0]: Local descriptor (FD=300) closed 2017.11.07 15:51:59 LOG7[0]: Service [https_test] finished (0 left)
On 11/07/2017 04:28 PM, Osvald Brko wrote:
127.0.0.1 www.wikipedia.org But of course I am not able to use any web link, and I can see only default main page without any path. So stunnel is completely unusable for web browsing, I am right?
This setup should allow you to browse the entirety of www.wikipedia.org, *including* other pathes/pages thereon.
Considering that *other* hostnames appear even right on the starting page (commons.wikimedia.org, www.wikiquote.org, upload.wikimedia.org, etc.), you're unlikely to *stay* within those limits for any length of time, though.
(On many other websites, the CSS etc. will *already* be under another hostname, so even the start page will "not look right" if your direct access to the Internet is blocked. And don't even think about sites using CDNs.)
If by "web browsing", you mean (potentially) the *entire* web instead of one specific standalone server, you need a web proxy, which stunnel is not.
Regards,
From: Jochen Bern Jochen.Bern@binect.de Sent: Tuesday, November 7, 2017 5:05 PM To: stunnel-users@stunnel.org Cc: bflmpsvz@hotmail.com Subject: Re: [stunnel-users] Web browsing over stunnel
On 11/07/2017 04:28 PM, Osvald Brko wrote:
127.0.0.1 www.wikipedia.org But of course I am not able to use any web link, and I can see only default main page without any path. So stunnel is completely unusable for web browsing, I am right?
This setup should allow you to browse the entirety of www.wikipedia.org, *including* other pathes/pages thereon.
I would not believe that, because links does not contain the necessary port (for instance :8888 which I choose), but where the path is relative, there it really works.
Considering that *other* hostnames appear even right on the starting page (commons.wikimedia.org, www.wikiquote.org, upload.wikimedia.org, etc.), you're unlikely to *stay* within those limits for any length of time, though.
I see. The page www.wikipedia.org contains *solely* links to other page addresses, that's the problem which confused me.
And regarding the www.stunnel.org, http://www.stunnel.org:8888/ does not work, while http://www.stunnel.org:8888/index.html does.
At last I was quite successful with configuration like this: hosts : 127.0.0.1 localhost
127.0.0.2 en.wikipedia.org 127.0.0.3 upload.wikimedia.org 127.0.0.4 commons.wikimedia.org
127.0.0.5 www.stunnel.org
stunnel.conf :
[https_en.wikip] client = yes accept = 127.0.0.2:8888 connect = 91.198.174.192:443
[https_upload.wikim] client = yes accept = 127.0.0.3:8888 connect = 91.198.174.208:443
[https_commons.wikim] client = yes accept = 127.0.0.4:8888 connect = 91.198.174.192:443
[https_stunnel] client = yes accept = 127.0.0.5:8888 connect = 207.192.69.165:443
Of course, I had to add the :8888 port to linked addresses and delete "s" from "https" manualy, but better than nothing :-) .
Regards,
Olda
-
Jochen Bern -
Osvald Brko