[stunnel-users] older browsers, stunnel and privoxy

kovacs janos kovacsjanosfasz at gmail.com
Wed Dec 5 16:16:54 CET 2018


thank you for suggestions, but can someone tell me in what cases
stunnel can be used?
i can connect to http websites through it, but https doesnt work, even
if it would otherwise do.
i try to connect to 'https://via.hypothes.is/' like this, which i can
access in browser without any proxy:
[Tunnel_in]
client = yes
accept = 127.0.0.1:443
connect = via.hypothes.is:443

i get these logs:
LOG5[1]: Service [Tunnel_in] accepted connection from 127.0.0.1:1788
LOG5[1]: s_connect: connected 104.20.214.15:443
LOG5[1]: Service [Tunnel_in] connected remote server from 192.168.0.3:1789
LOG5[1]: Connection closed: 197 byte(s) sent to TLS, 332 byte(s) sent to socket

and the browser just shows a 'server not found' error.
with http sites its the same logs except the IP and bytes, and it
loads in the browser.

On 12/5/18, Flo Rance <trourance at gmail.com> wrote:
> I would recommend to use squid which is able to do SSL bump.
>
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> Therefore, you'll be able to connect with TLS1.0 to squid and the proxy
> will establish a TLSv1.2 to the final destination.
>
> Regards,
> Flo
>
> On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <kovacsjanosfasz at gmail.com>
> wrote:
>
>> well, what i meant is forwarding to the current address the browser
>> connects to, so basically browsing through stunnel.
>>
>> is it really that complicated to achieve that? if i configure stunnel
>> as a client, and make the browser send traffic to the accept address,
>> shouldnt stunnel encrypt the traffic with TLS and send forward to the
>> connect address? if thats true, shouldnt it also decrypt returning
>> traffic and send back to the browser?
>> when i configured stunnel as both client and server on the same
>> computer, it worked, but the browser still gave
>> 'ssl_error_no_cypher_overlap' errors. probably because the server side
>> decrypted it again before it reached the website's server?
>>
>> i dont necessarily need it to strip encryption, just use anything
>> below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit
>> sites that would otherwise give cypher error, and they stay as https
>>
>> On 12/4/18, Zizhong Zhang <zizazit at protonmail.com> wrote:
>> > Hello,
>> >
>> >> im trying to make older browsers be able to display TLS 1.1 and TLS
>> >> 1.2
>> >> sites.
>> >> i heard stunnel cant be configured to always forward to the current
>> >> site address dynamically, thats why i would use privoxy.
>> >
>> > If by "forward to the current site address dynamically" you meant
>> "forward
>> > to the current address of one specific domain" then stunnel can achieve
>> that
>> > by adding "delay = yes".
>> >
>> > However, if I understood correctly, you wanted to let stunnel strip
>> > or remove SSL for whatever sites you visit. Then no, I don't think you
>> can
>> > achieve that with privoxy and stunnel. If that's what you want, I would
>> > suggest you use nginx to remove SSL. The following example
>> > configuration
>> > will let nginx "upgrade" your HTTP request to HTTPS.
>> >
>> > events {} http { server {
>> >     resolver 9.9.9.9;
>> >     listen 80;
>> >     location / {
>> >             proxy_pass https://$host$request_uri;
>> >             proxy_set_header Host $http_host;
>> >     }
>> > }}
>> >
>> > You can then point any domain to the nginx server (for example, via the
>> > hosts file) and visit the site via HTTP. This will make HTTPS-oly
>> > servers
>> > happy.
>> >
>> > That won't strip third-party HTTPS:// URL resources like NewIPNow does,
>> but
>> > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML.
>> Also
>> > there are "security features" like "Content-Security-Policy" that
>> > prevent
>> > modern browsers from visiting your SSL-stripped sites, but I believe
>> > your
>> > out-dated browser will happily ignore those.
>> >
>> > --Zizhong
>> >
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
>



More information about the stunnel-users mailing list