[stunnel-users] older browsers, stunnel and privoxy

kovacs janos kovacsjanosfasz at gmail.com
Wed Dec 12 16:56:29 CET 2018


anyways, here is an article about what  i need:
https://en.wikipedia.org/wiki/TLS_termination_proxy

except it shouldnt pass the unencrypted data to a server but a browser.
on the same page, stunnel is listed under "Servers capable of acting
as a TLS/SSL termination proxy".
i would be grateful if i could finally make this work

On 12/9/18, kovacs janos <kovacsjanosfasz at gmail.com> wrote:
> how can i disable verification though? at first i just want to see it
> work at all.
> in the howto page, it says this:
> "
> Stunnel has 3 methods for checking certificates, which are controlled
> by the verify option:
>
>     *
>
>       Do not Verify Certificates
>           If no verify argument is given, then stunnel will ignore any
> certificates offered and will allow all connections.
> "
>
> there is no "verify" in the stunnel.conf file, and only the gmail
> service examples have verifyChain
>
> On 12/9/18, Yyy <yyy at yyy.id.lv> wrote:
>> How would connection between stunnel and server through proxy work? To
>> verify servers identity, stunnel needs to receive and verify servers
>> certificate and since servers address is defined in config file, anything
>> that modifies traffic between stunnel and server will be seen as mitm and
>> that will break connectivity.
>> It might be possible to disable certificate verification, but in that
>> case
>> sslstrip would be better solution. (it would have the same security).
>>
>> On December 9, 2018 3:30:34 PM EET, kovacs janos
>> <kovacsjanosfasz at gmail.com>
>> wrote:
>>>i mean a proxy that can work with the address of the actual website
>>>opened in the browser, not just specific addresses defined in the
>>>config file.
>>>
>>>at least i thought thats what you meant with this:
>>>"In case of client (browser), for each remote (https) server to be
>>>connected to, stunnnel config file will need an entry;
>>>in browser it will not be possible to use DNS names (all servers will
>>>have to be addressed as 127.0.0.1:someport
>>>where "someport", is port assigned in stunnel conf server entry accept
>>>statement), so most links in webpages will not work."
>>>
>>>if stunnel can only work with specified addresses, cant a proxy like
>>>privoxy be set up at both ends, and stunnel only has to accept and
>>>connect to the address of the proxies?
>>>
>>>On 12/9/18, Yyy <yyy at yyy.id.lv> wrote:
>>>> What do you mean by dynamic address proxy?
>>>>
>>>> On December 8, 2018 12:39:26 AM EET, kovacs janos
>>>> <kovacsjanosfasz at gmail.com> wrote:
>>>>>if stunnel can only accept from and forward to one address, cant that
>>>>>be went around by setting a dynamic address proxy on both sides of
>>>>>stunnel? like:
>>>>>proxy - stunnel - proxy
>>>>>
>>>>>although i havent been able to connect to even a single website, but
>>>i
>>>>>didnt try with specifically the IP
>>>>>
>>>>>On 12/7/18, yyy <yyy at yyy.id.lv> wrote:
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "kovacs janos" <kovacsjanosfasz at gmail.com>
>>>>>> To: "Flo Rance" <trourance at gmail.com>
>>>>>> Cc: <stunnel-users at stunnel.org>
>>>>>> Sent: Friday, December 07, 2018 2:30 AM
>>>>>> Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
>>>>>>
>>>>>>
>>>>>>> now im really not sure, since the wikipedia page on stunnel also
>>>>>>> describes the program doing exactly what i need in the Example
>>>>>>> scenario section:
>>>>>>> https://en.wikipedia.org/wiki/Stunnel#Example_scenario
>>>>>>>
>>>>>>> "Network traffic from the client initially passes over SSL to the
>>>>>>> stunnel application, which transparently encrypts/decrypts traffic
>>>>>and
>>>>>>> forwards unsecured traffic to port 25 locally. The mail server
>>>sees
>>>>>a
>>>>>>> non-SSL mail client. "
>>>>>>>
>>>>>>> only difference is, i need it to forward "unsecured traffic" to my
>>>>>>> browser client, not a server. are you all sure its really not
>>>>>>> possible?
>>>>>>>
>>>>>> It is possible with the same limitiations as with server case.
>>>>>> In case of server, there is one server, which accepts incoming
>>>>>connections
>>>>>> (unencrypted) and stunnel accepts unencrypted
>>>>>> connections for that (one) server and decrypts and forwards them.
>>>>>There is
>>>>>> only one server, which gets connected by stunnel.
>>>>>>
>>>>>> In case of client (browser), for each remote (https) server to be
>>>>>connected
>>>>>> to, stunnnel config file will need an entry;
>>>>>> in browser it will not be possible to use DNS names (all servers
>>>will
>>>>>have
>>>>>> to be addressed as 127.0.0.1:someport
>>>>>> where "someport", is port assigned in stunnel conf server entry
>>>>>accept
>>>>>> statement), so most links in webpages will not work.
>>>>>> It may be feasible for small number of servers, which does not
>>>links
>>>>>any
>>>>>> external resources.
>>>>>>
>>>>>> _______________________________________________
>>>>>> stunnel-users mailing list
>>>>>> stunnel-users at stunnel.org
>>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>>
>>>>
>>>> --
>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>
>



More information about the stunnel-users mailing list