[stunnel-users] older browsers, stunnel and privoxy

kovacs janos kovacsjanosfasz at gmail.com
Tue Dec 4 21:37:53 CET 2018

well, what i meant is forwarding to the current address the browser
connects to, so basically browsing through stunnel.

is it really that complicated to achieve that? if i configure stunnel
as a client, and make the browser send traffic to the accept address,
shouldnt stunnel encrypt the traffic with TLS and send forward to the
connect address? if thats true, shouldnt it also decrypt returning
traffic and send back to the browser?
when i configured stunnel as both client and server on the same
computer, it worked, but the browser still gave
'ssl_error_no_cypher_overlap' errors. probably because the server side
decrypted it again before it reached the website's server?

i dont necessarily need it to strip encryption, just use anything
below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit
sites that would otherwise give cypher error, and they stay as https

On 12/4/18, Zizhong Zhang <zizazit at protonmail.com> wrote:
> Hello,
>> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2
>> sites.
>> i heard stunnel cant be configured to always forward to the current
>> site address dynamically, thats why i would use privoxy.
> If by "forward to the current site address dynamically" you meant "forward
> to the current address of one specific domain" then stunnel can achieve that
> by adding "delay = yes".
> However, if I understood correctly, you wanted to let stunnel strip
> or remove SSL for whatever sites you visit. Then no, I don't think you can
> achieve that with privoxy and stunnel. If that's what you want, I would
> suggest you use nginx to remove SSL. The following example configuration
> will let nginx "upgrade" your HTTP request to HTTPS.
> events {} http { server {
>     resolver;
>     listen 80;
>     location / {
>             proxy_pass https://$host$request_uri;
>             proxy_set_header Host $http_host;
>     }
> }}
> You can then point any domain to the nginx server (for example, via the
> hosts file) and visit the site via HTTP. This will make HTTPS-oly servers
> happy.
> That won't strip third-party HTTPS:// URL resources like NewIPNow does, but
> you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also
> there are "security features" like "Content-Security-Policy" that prevent
> modern browsers from visiting your SSL-stripped sites, but I believe your
> out-dated browser will happily ignore those.
> --Zizhong

More information about the stunnel-users mailing list