[stunnel-users] older browsers, stunnel and privoxy

Flo Rance trourance at gmail.com
Tue Dec 4 16:23:07 CET 2018


This is not what I've understood from your first description. You would
like to bridge TLSv1 to TLSv1.1 or TLSv1.2 before sending requests to a web
proxy.

This is why I don't think stunnel is intended for that.

That said, if SSLV3 and TLSv1 have been deprecated, there's a good reason
and you should seriously think to update your tools.

Regards,
Flo

On Tue, Dec 4, 2018 at 3:18 PM kovacs janos <kovacsjanosfasz at gmail.com>
wrote:

> well, it says this on the first line of the website:
> "Stunnel is a proxy designed to add TLS encryption functionality to
> existing clients and servers without any changes in the programs'
> code."
>
> i just want to add TLS functionality to client browsers which dont
> have it. i only need stunnel to decrypt TLS traffic going back to the
> browser.
>
> On 12/4/18, Flo Rance <trourance at gmail.com> wrote:
> > Sorry I didn't read it correctly. I don't think this is something stunnel
> > can handle.
> >
> > Regards,
> > Flo
> >
> > On Mon, Dec 3, 2018 at 9:31 PM kovacs janos <kovacsjanosfasz at gmail.com>
> > wrote:
> >
> >> thank you for  the reply,
> >> its the address and port where privoxy listens for requests.
> >> from the config file:
> >> "#  4.1. listen-address
> >> #  ====================
> >> #
> >> #  Specifies:
> >> #
> >> #      The IP address and TCP port on which Privoxy will listen for
> >> #      client requests."
> >> and under it:
> >>
> >> listen-address  127.0.0.1:8118
> >>
> >> On 12/3/18, Flo Rance <trourance at gmail.com> wrote:
> >> > Hi,
> >> >
> >> > It's not clear in your description what is running on 8118 local port.
> >> >
> >> > Regards,
> >> > Flo
> >> >
> >> > On Mon, Dec 3, 2018 at 2:40 PM kovacs janos <
> kovacsjanosfasz at gmail.com>
> >> > wrote:
> >> >
> >> >> sorry to bother,
> >> >> im trying to make older browsers be able to display TLS 1.1 and TLS
> >> >> 1.2
> >> >> sites.
> >> >> i heard stunnel cant be configured to always forward to the current
> >> >> site address dynamically, thats why i would use privoxy.
> >> >> the browser is configured to send to:
> >> >> 127.0.0.1  443
> >> >>
> >> >> stunnel config has this at the end:
> >> >> [Tunnel_in]
> >> >> client = yes
> >> >> accept = 127.0.0.1:443
> >> >> connect = 127.0.0.1:8118
> >> >> verifyChain = yes
> >> >> CAfile = ca-certs.pem
> >> >> checkHost = localhost
> >> >>
> >> >> 127.0.0.1:8118 is the privoxy address.
> >> >> this is what stunnel writes:
> >> >> LOG5[main]: Configuration successful
> >> >> LOG5[0]: Service [Tunnel_in] accepted connection from 127.0.0.1:3261
> >> >> LOG5[0]: s_connect: connected 127.0.0.1:8118
> >> >> LOG5[0]: Service [Tunnel_in] connected remote server from
> >> 127.0.0.1:3262
> >> >>
> >> >> and the browser infinitely loads, and never loads anything or leaves
> >> >> the
> >> >> page.
> >> >> if i remove the last 3 lines, its the same just with this line added:
> >> >> LOG4[main]: Service [Tunnel_in] needs authentication to prevent MITM
> >> >> attacks
> >> >>
> >> >> but it doesnt give an error or anything.
> >> >>
> >> >> with a configuration like:
> >> >> [Tunnel_out]
> >> >> client = no
> >> >> accept = 127.0.0.1:443
> >> >> connect = 127.0.0.1:8118
> >> >> cert = stunnel.pem
> >> >>
> >> >> this is what it gives:
> >> >> LOG5[3]: Service [Tunnel_out] accepted connection from
> 127.0.0.1:3294
> >> >> LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL
> >> >> routines:SSL23_GET_CLIENT_HELLO:https proxy request
> >> >> LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to
> >> >> socket
> >> >>
> >> >> and browser gives a server not found error immediately. im not even
> >> >> sure if i should use client or server configuration in a case like
> >> >> this, but none of them works anyway. all i would need is for my
> >> >> browser to get the pages decrypted, or at least in less than TLS1.1.
> >> >> like how on newipnow.com i can access sites with any encryption,
> since
> >> >> they are sent to the browser without encryption. the browser just
> >> >> gives an "unencrypted tunnel" warning, which is how i found stunnel,
> >> >> and which is exactly what i need, just locally.
> >> >> _______________________________________________
> >> >> stunnel-users mailing list
> >> >> stunnel-users at stunnel.org
> >> >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> >> >>
> >> >
> >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20181204/f18b4279/attachment.html>


More information about the stunnel-users mailing list