[stunnel-users] older browsers, stunnel and privoxy

Peter Pentchev roam at ringlet.net
Fri Jan 4 16:05:54 CET 2019


On Thu, Jan 03, 2019 at 02:45:30PM -0700, Eric Eberhard wrote:
> Observation:  you accept on port 80 ... the log says 4121 ... any chance
> you have some sort of port forwarding/NAT/firewall/router issue?

Just for the record (I already answered the question in another
message), the log says that the client - the program that was talking to
stunnel, presumably some kind of web browser - connected *to* stunnel
*from* the (ephemeral) port 4121.

> Second -- if you are on Unix why not just use inetd?  Easy, reliable,
> simple, always works (if inetd goes down you have no Unix).  And you
> have nothing to manage -- just logs to look at.

The inetd and stunnel tools serve different purposes - inetd cannot, by
itself, proxy between a plaintext and a TLS/SSL connection.

> Happy New Year
> 
> Eric

Same!

G'luck,
Peter


> -----Original Message-----
> From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of kovacs janos
> Sent: Saturday, December 29, 2018 7:37 PM
> To: Javier <jamilist.stn at gmx.es>
> Cc: stunnel-users at stunnel.org
> Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
> 
> it still doesnt seem to work. i tried it with deviantart.com again.
> configuration:
> client = yes
> accept = 127.0.0.1:80
> connect = 52.85.220.247:443
> verifyChain = yes
> CAfile = ca-certs.pem
> checkHost = *.deviantart.com
> 
> the name after checkHost is the "Common Name" displayed when viewing the site's certificate in a browser(lock icon, view certificate). i also saved the certificate in case i would need to try the "certificate pinning" method. the connect IP is what 'get-site-ip.com'
> says the IP of the website is.
> 
> these are the logs:
> Service [fbsd-www] accepted connection from 127.0.0.1:4121
> s_connect: connected 52.85.220.247:443
> Service [fbsd-www] connected remote server from 192.168.0.3:4122
> SSL_connect: 14077410: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
> 
> i know i pestered everyone long enough, but i still havent been able to connect to anything. without any verification its the same
> 
> On 12/21/18, Javier <jamilist.stn at gmx.es> wrote:
> > On Fri, 21 Dec 2018 13:58:35 +0200
> > Peter Pentchev <roam at ringlet.net> wrote:
> >
> >> Hm, there's no reason why stunnel would not work like that for a 
> >> predetermined set of hosts with known addresses.
> >
> > Hi,
> >
> > I'm just trying to avoid encouraging him on keep with his first idea 
> > of browsing through Stunnel, with, or without privoxy.
> >
> > Of course one site, one connection would work, if we forget about 
> > secondary issues and..., nevermind...
> >
> > I give up :D
> >
> > Regards.
> >
> >
> > _______________________________________________
> > stunnel-users mailing list
> > stunnel-users at stunnel.org
> > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> >
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
> 
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

-- 
-- 
Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190104/128e4051/attachment.sig>


More information about the stunnel-users mailing list