[stunnel-users] older browsers, stunnel and privoxy
kovacs janos
kovacsjanosfasz at gmail.com
Fri Dec 7 01:30:21 CET 2018
now im really not sure, since the wikipedia page on stunnel also
describes the program doing exactly what i need in the Example
scenario section:
https://en.wikipedia.org/wiki/Stunnel#Example_scenario
"Network traffic from the client initially passes over SSL to the
stunnel application, which transparently encrypts/decrypts traffic and
forwards unsecured traffic to port 25 locally. The mail server sees a
non-SSL mail client. "
only difference is, i need it to forward "unsecured traffic" to my
browser client, not a server. are you all sure its really not
possible?
On 12/5/18, kovacs janos <kovacsjanosfasz at gmail.com> wrote:
> thank you for suggestions, but can someone tell me in what cases
> stunnel can be used?
> i can connect to http websites through it, but https doesnt work, even
> if it would otherwise do.
> i try to connect to 'https://via.hypothes.is/' like this, which i can
> access in browser without any proxy:
> [Tunnel_in]
> client = yes
> accept = 127.0.0.1:443
> connect = via.hypothes.is:443
>
> i get these logs:
> LOG5[1]: Service [Tunnel_in] accepted connection from 127.0.0.1:1788
> LOG5[1]: s_connect: connected 104.20.214.15:443
> LOG5[1]: Service [Tunnel_in] connected remote server from 192.168.0.3:1789
> LOG5[1]: Connection closed: 197 byte(s) sent to TLS, 332 byte(s) sent to
> socket
>
> and the browser just shows a 'server not found' error.
> with http sites its the same logs except the IP and bytes, and it
> loads in the browser.
>
> On 12/5/18, Flo Rance <trourance at gmail.com> wrote:
>> I would recommend to use squid which is able to do SSL bump.
>>
>> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>>
>> Therefore, you'll be able to connect with TLS1.0 to squid and the proxy
>> will establish a TLSv1.2 to the final destination.
>>
>> Regards,
>> Flo
>>
>> On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <kovacsjanosfasz at gmail.com>
>> wrote:
>>
>>> well, what i meant is forwarding to the current address the browser
>>> connects to, so basically browsing through stunnel.
>>>
>>> is it really that complicated to achieve that? if i configure stunnel
>>> as a client, and make the browser send traffic to the accept address,
>>> shouldnt stunnel encrypt the traffic with TLS and send forward to the
>>> connect address? if thats true, shouldnt it also decrypt returning
>>> traffic and send back to the browser?
>>> when i configured stunnel as both client and server on the same
>>> computer, it worked, but the browser still gave
>>> 'ssl_error_no_cypher_overlap' errors. probably because the server side
>>> decrypted it again before it reached the website's server?
>>>
>>> i dont necessarily need it to strip encryption, just use anything
>>> below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit
>>> sites that would otherwise give cypher error, and they stay as https
>>>
>>> On 12/4/18, Zizhong Zhang <zizazit at protonmail.com> wrote:
>>> > Hello,
>>> >
>>> >> im trying to make older browsers be able to display TLS 1.1 and TLS
>>> >> 1.2
>>> >> sites.
>>> >> i heard stunnel cant be configured to always forward to the current
>>> >> site address dynamically, thats why i would use privoxy.
>>> >
>>> > If by "forward to the current site address dynamically" you meant
>>> "forward
>>> > to the current address of one specific domain" then stunnel can
>>> > achieve
>>> that
>>> > by adding "delay = yes".
>>> >
>>> > However, if I understood correctly, you wanted to let stunnel strip
>>> > or remove SSL for whatever sites you visit. Then no, I don't think you
>>> can
>>> > achieve that with privoxy and stunnel. If that's what you want, I
>>> > would
>>> > suggest you use nginx to remove SSL. The following example
>>> > configuration
>>> > will let nginx "upgrade" your HTTP request to HTTPS.
>>> >
>>> > events {} http { server {
>>> > resolver 9.9.9.9;
>>> > listen 80;
>>> > location / {
>>> > proxy_pass https://$host$request_uri;
>>> > proxy_set_header Host $http_host;
>>> > }
>>> > }}
>>> >
>>> > You can then point any domain to the nginx server (for example, via
>>> > the
>>> > hosts file) and visit the site via HTTP. This will make HTTPS-oly
>>> > servers
>>> > happy.
>>> >
>>> > That won't strip third-party HTTPS:// URL resources like NewIPNow
>>> > does,
>>> but
>>> > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML.
>>> Also
>>> > there are "security features" like "Content-Security-Policy" that
>>> > prevent
>>> > modern browsers from visiting your SSL-stripped sites, but I believe
>>> > your
>>> > out-dated browser will happily ignore those.
>>> >
>>> > --Zizhong
>>> >
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>
>
More information about the stunnel-users
mailing list