[stunnel-users] older browsers with modern HTTPS - stunnel-users Digest, Vol 173, Issue 4

kovacs janos kovacsjanosfasz at gmail.com
Wed Dec 5 19:13:11 CET 2018


thank you but i know about it, im "Youse" on that forum. i wanted to
try stunnel because it seems safer and generally accepted while
promising about the same thing, and it works on my OS too.

On 12/5/18, Thomas GMX <thomas.s.wolfsburg at gmx.de> wrote:
> Hi Janos,
>
> you can use a local proxy to "translate" HTTPS TLS1.0 to TLS1.2
> Look here:
>
> https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-aka-tls/?page=7&tab=comments#comment-1155858
>
> HTTPSProxy (and tools) manage the whole traffic locally (in- and outgoing
> HTTPS), but needs manually configuration as described in the help files.
> If you have questions please ask in this forum.
>
> Regards Thomas S.
>
>
>
> -----Original Message-----
> From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of
> stunnel-users-request at stunnel.org
> Sent: Wednesday, December 05, 2018 10:12 AM
> To: stunnel-users at stunnel.org
> Subject: stunnel-users Digest, Vol 173, Issue 4
>
> Send stunnel-users mailing list submissions to
> 	stunnel-users at stunnel.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> or, via email, send a message with subject or body 'help' to
> 	stunnel-users-request at stunnel.org
>
> You can reach the person managing the list at
> 	stunnel-users-owner at stunnel.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of stunnel-users digest..."
>
>
> Today's Topics:
>
>    1. Re: older browsers, stunnel and privoxy (kovacs janos)
>    2. Re: older browsers, stunnel and privoxy (Zizhong Zhang)
>    3. Re: older browsers, stunnel and privoxy (kovacs janos)
>    4. Re: older browsers, stunnel and privoxy (Flo Rance)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 4 Dec 2018 19:27:15 +0100
> From: kovacs janos <kovacsjanosfasz at gmail.com>
> To: Flo Rance <trourance at gmail.com>
> Cc: stunnel-users at stunnel.org
> Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
> Message-ID:
> 	<CAOchpkrOTmoAgCpv4fK19NhZeP-5-JgjX3EASFcfQbMVydR2yA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> well yes, im pretty sure the same encryption is needed in requests and
> the returned page, otherwise it would probably get a no cypher overlap
> error.
>
> so i basically need stunnel to encrypt outgoing requests, and decrypt
> the returned things and only on the browser side of connection.
>
> there's a good reason why they are deprecated, but it would be better
> to add this functionality this way if possible, rather than change
> whole programs, especially when its the purpose of stunnel, according
> to the description
>
> On 12/4/18, Flo Rance <trourance at gmail.com> wrote:
>> This is not what I've understood from your first description. You would
>> like to bridge TLSv1 to TLSv1.1 or TLSv1.2 before sending requests to a
>> web
>> proxy.
>>
>> This is why I don't think stunnel is intended for that.
>>
>> That said, if SSLV3 and TLSv1 have been deprecated, there's a good reason
>> and you should seriously think to update your tools.
>>
>> Regards,
>> Flo
>>
>> On Tue, Dec 4, 2018 at 3:18 PM kovacs janos <kovacsjanosfasz at gmail.com>
>> wrote:
>>
>>> well, it says this on the first line of the website:
>>> "Stunnel is a proxy designed to add TLS encryption functionality to
>>> existing clients and servers without any changes in the programs'
>>> code."
>>>
>>> i just want to add TLS functionality to client browsers which dont
>>> have it. i only need stunnel to decrypt TLS traffic going back to the
>>> browser.
>>>
>>> On 12/4/18, Flo Rance <trourance at gmail.com> wrote:
>>> > Sorry I didn't read it correctly. I don't think this is something
>>> > stunnel
>>> > can handle.
>>> >
>>> > Regards,
>>> > Flo
>>> >
>>> > On Mon, Dec 3, 2018 at 9:31 PM kovacs janos <kovacsjanosfasz at gmail.com>
>>> > wrote:
>>> >
>>> >> thank you for  the reply,
>>> >> its the address and port where privoxy listens for requests.
>>> >> from the config file:
>>> >> "#  4.1. listen-address
>>> >> #  ====================
>>> >> #
>>> >> #  Specifies:
>>> >> #
>>> >> #      The IP address and TCP port on which Privoxy will listen for
>>> >> #      client requests."
>>> >> and under it:
>>> >>
>>> >> listen-address  127.0.0.1:8118
>>> >>
>>> >> On 12/3/18, Flo Rance <trourance at gmail.com> wrote:
>>> >> > Hi,
>>> >> >
>>> >> > It's not clear in your description what is running on 8118 local
>>> >> > port.
>>> >> >
>>> >> > Regards,
>>> >> > Flo
>>> >> >
>>> >> > On Mon, Dec 3, 2018 at 2:40 PM kovacs janos <
>>> kovacsjanosfasz at gmail.com>
>>> >> > wrote:
>>> >> >
>>> >> >> sorry to bother,
>>> >> >> im trying to make older browsers be able to display TLS 1.1 and TLS
>>> >> >> 1.2
>>> >> >> sites.
>>> >> >> i heard stunnel cant be configured to always forward to the current
>>> >> >> site address dynamically, thats why i would use privoxy.
>>> >> >> the browser is configured to send to:
>>> >> >> 127.0.0.1  443
>>> >> >>
>>> >> >> stunnel config has this at the end:
>>> >> >> [Tunnel_in]
>>> >> >> client = yes
>>> >> >> accept = 127.0.0.1:443
>>> >> >> connect = 127.0.0.1:8118
>>> >> >> verifyChain = yes
>>> >> >> CAfile = ca-certs.pem
>>> >> >> checkHost = localhost
>>> >> >>
>>> >> >> 127.0.0.1:8118 is the privoxy address.
>>> >> >> this is what stunnel writes:
>>> >> >> LOG5[main]: Configuration successful
>>> >> >> LOG5[0]: Service [Tunnel_in] accepted connection from
>>> >> >> 127.0.0.1:3261
>>> >> >> LOG5[0]: s_connect: connected 127.0.0.1:8118
>>> >> >> LOG5[0]: Service [Tunnel_in] connected remote server from
>>> >> 127.0.0.1:3262
>>> >> >>
>>> >> >> and the browser infinitely loads, and never loads anything or
>>> >> >> leaves
>>> >> >> the
>>> >> >> page.
>>> >> >> if i remove the last 3 lines, its the same just with this line
>>> >> >> added:
>>> >> >> LOG4[main]: Service [Tunnel_in] needs authentication to prevent
>>> >> >> MITM
>>> >> >> attacks
>>> >> >>
>>> >> >> but it doesnt give an error or anything.
>>> >> >>
>>> >> >> with a configuration like:
>>> >> >> [Tunnel_out]
>>> >> >> client = no
>>> >> >> accept = 127.0.0.1:443
>>> >> >> connect = 127.0.0.1:8118
>>> >> >> cert = stunnel.pem
>>> >> >>
>>> >> >> this is what it gives:
>>> >> >> LOG5[3]: Service [Tunnel_out] accepted connection from
>>> 127.0.0.1:3294
>>> >> >> LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL
>>> >> >> routines:SSL23_GET_CLIENT_HELLO:https proxy request
>>> >> >> LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to
>>> >> >> socket
>>> >> >>
>>> >> >> and browser gives a server not found error immediately. im not even
>>> >> >> sure if i should use client or server configuration in a case like
>>> >> >> this, but none of them works anyway. all i would need is for my
>>> >> >> browser to get the pages decrypted, or at least in less than
>>> >> >> TLS1.1.
>>> >> >> like how on newipnow.com i can access sites with any encryption,
>>> since
>>> >> >> they are sent to the browser without encryption. the browser just
>>> >> >> gives an "unencrypted tunnel" warning, which is how i found
>>> >> >> stunnel,
>>> >> >> and which is exactly what i need, just locally.
>>> >> >> _______________________________________________
>>> >> >> stunnel-users mailing list
>>> >> >> stunnel-users at stunnel.org
>>> >> >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>> >> >>
>>> >> >
>>> >>
>>> >
>>>
>>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 04 Dec 2018 19:16:53 +0000
> From: Zizhong Zhang <zizazit at protonmail.com>
> To: kovacs janos <kovacsjanosfasz at gmail.com>
> Cc: "stunnel-users at stunnel.org" <stunnel-users at stunnel.org>
> Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
> Message-ID:
> 	<mSx8WOjppmpWbvW5ETuPUXO048xh4PcPTtZPpOpzkrecueeSUtjQQx13FhtLO24lkyNXRPe_lNpMV8ko6RMEvowOx7mg6rl_1hwj43QAxWw=@protonmail.com>
> 	
> Content-Type: text/plain; charset=UTF-8
>
> Hello,
>
>> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2
>> sites.
>> i heard stunnel cant be configured to always forward to the current
>> site address dynamically, thats why i would use privoxy.
>
> If by "forward to the current site address dynamically" you meant "forward
> to the current address of one specific domain" then stunnel can achieve that
> by adding "delay = yes".
>
> However, if I understood correctly, you wanted to let stunnel strip
> or remove SSL for whatever sites you visit. Then no, I don't think you can
> achieve that with privoxy and stunnel. If that's what you want, I would
> suggest you use nginx to remove SSL. The following example configuration
> will let nginx "upgrade" your HTTP request to HTTPS.
>
> events {} http { server {
>     resolver 9.9.9.9;
>     listen 80;
>     location / {
>             proxy_pass https://$host$request_uri;
>             proxy_set_header Host $http_host;
>     }
> }}
>
> You can then point any domain to the nginx server (for example, via the
> hosts file) and visit the site via HTTP. This will make HTTPS-oly servers
> happy.
>
> That won't strip third-party HTTPS:// URL resources like NewIPNow does, but
> you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also
> there are "security features" like "Content-Security-Policy" that prevent
> modern browsers from visiting your SSL-stripped sites, but I believe your
> out-dated browser will happily ignore those.
>
> --Zizhong
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 4 Dec 2018 21:37:53 +0100
> From: kovacs janos <kovacsjanosfasz at gmail.com>
> To: Zizhong Zhang <zizazit at protonmail.com>
> Cc: "stunnel-users at stunnel.org" <stunnel-users at stunnel.org>
> Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
> Message-ID:
> 	<CAOchpkq7vG8vHBCrbVn6d4Eh7M2rd6jEob_huhoG=ZefJnpHLw at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> well, what i meant is forwarding to the current address the browser
> connects to, so basically browsing through stunnel.
>
> is it really that complicated to achieve that? if i configure stunnel
> as a client, and make the browser send traffic to the accept address,
> shouldnt stunnel encrypt the traffic with TLS and send forward to the
> connect address? if thats true, shouldnt it also decrypt returning
> traffic and send back to the browser?
> when i configured stunnel as both client and server on the same
> computer, it worked, but the browser still gave
> 'ssl_error_no_cypher_overlap' errors. probably because the server side
> decrypted it again before it reached the website's server?
>
> i dont necessarily need it to strip encryption, just use anything
> below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit
> sites that would otherwise give cypher error, and they stay as https
>
> On 12/4/18, Zizhong Zhang <zizazit at protonmail.com> wrote:
>> Hello,
>>
>>> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2
>>> sites.
>>> i heard stunnel cant be configured to always forward to the current
>>> site address dynamically, thats why i would use privoxy.
>>
>> If by "forward to the current site address dynamically" you meant "forward
>> to the current address of one specific domain" then stunnel can achieve
>> that
>> by adding "delay = yes".
>>
>> However, if I understood correctly, you wanted to let stunnel strip
>> or remove SSL for whatever sites you visit. Then no, I don't think you can
>> achieve that with privoxy and stunnel. If that's what you want, I would
>> suggest you use nginx to remove SSL. The following example configuration
>> will let nginx "upgrade" your HTTP request to HTTPS.
>>
>> events {} http { server {
>>     resolver 9.9.9.9;
>>     listen 80;
>>     location / {
>>             proxy_pass https://$host$request_uri;
>>             proxy_set_header Host $http_host;
>>     }
>> }}
>>
>> You can then point any domain to the nginx server (for example, via the
>> hosts file) and visit the site via HTTP. This will make HTTPS-oly servers
>> happy.
>>
>> That won't strip third-party HTTPS:// URL resources like NewIPNow does,
>> but
>> you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML.
>> Also
>> there are "security features" like "Content-Security-Policy" that prevent
>> modern browsers from visiting your SSL-stripped sites, but I believe your
>> out-dated browser will happily ignore those.
>>
>> --Zizhong
>>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 5 Dec 2018 10:12:06 +0100
> From: Flo Rance <trourance at gmail.com>
> To: kovacsjanosfasz at gmail.com
> Cc: zizazit at protonmail.com, stunnel-users at stunnel.org
> Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
> Message-ID:
> 	<CAHogYcV+ig2-2u8CWYbbqH_AnkiZNzqM9etx=jHj3N+nug-FpQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I would recommend to use squid which is able to do SSL bump.
>
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> Therefore, you'll be able to connect with TLS1.0 to squid and the proxy
> will establish a TLSv1.2 to the final destination.
>
> Regards,
> Flo
>
> On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <kovacsjanosfasz at gmail.com>
> wrote:
>
>> well, what i meant is forwarding to the current address the browser
>> connects to, so basically browsing through stunnel.
>>
>> is it really that complicated to achieve that? if i configure stunnel
>> as a client, and make the browser send traffic to the accept address,
>> shouldnt stunnel encrypt the traffic with TLS and send forward to the
>> connect address? if thats true, shouldnt it also decrypt returning
>> traffic and send back to the browser?
>> when i configured stunnel as both client and server on the same
>> computer, it worked, but the browser still gave
>> 'ssl_error_no_cypher_overlap' errors. probably because the server side
>> decrypted it again before it reached the website's server?
>>
>> i dont necessarily need it to strip encryption, just use anything
>> below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit
>> sites that would otherwise give cypher error, and they stay as https
>>
>> On 12/4/18, Zizhong Zhang <zizazit at protonmail.com> wrote:
>> > Hello,
>> >
>> >> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2
>> >> sites.
>> >> i heard stunnel cant be configured to always forward to the current
>> >> site address dynamically, thats why i would use privoxy.
>> >
>> > If by "forward to the current site address dynamically" you meant
>> "forward
>> > to the current address of one specific domain" then stunnel can achieve
>> that
>> > by adding "delay = yes".
>> >
>> > However, if I understood correctly, you wanted to let stunnel strip
>> > or remove SSL for whatever sites you visit. Then no, I don't think you
>> can
>> > achieve that with privoxy and stunnel. If that's what you want, I would
>> > suggest you use nginx to remove SSL. The following example configuration
>> > will let nginx "upgrade" your HTTP request to HTTPS.
>> >
>> > events {} http { server {
>> >     resolver 9.9.9.9;
>> >     listen 80;
>> >     location / {
>> >             proxy_pass https://$host$request_uri;
>> >             proxy_set_header Host $http_host;
>> >     }
>> > }}
>> >
>> > You can then point any domain to the nginx server (for example, via the
>> > hosts file) and visit the site via HTTP. This will make HTTPS-oly
>> > servers
>> > happy.
>> >
>> > That won't strip third-party HTTPS:// URL resources like NewIPNow does,
>> but
>> > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML.
>> Also
>> > there are "security features" like "Content-Security-Policy" that
>> > prevent
>> > modern browsers from visiting your SSL-stripped sites, but I believe
>> > your
>> > out-dated browser will happily ignore those.
>> >
>> > --Zizhong
>> >
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://www.stunnel.org/pipermail/stunnel-users/attachments/20181205/881e3a21/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
> ------------------------------
>
> End of stunnel-users Digest, Vol 173, Issue 4
> *********************************************
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>



More information about the stunnel-users mailing list