[stunnel-users] older browsers, stunnel and privoxy

Flo Rance trourance at gmail.com
Wed Dec 5 10:12:06 CET 2018


I would recommend to use squid which is able to do SSL bump.

https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Therefore, you'll be able to connect with TLS1.0 to squid and the proxy
will establish a TLSv1.2 to the final destination.

Regards,
Flo

On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <kovacsjanosfasz at gmail.com>
wrote:

> well, what i meant is forwarding to the current address the browser
> connects to, so basically browsing through stunnel.
>
> is it really that complicated to achieve that? if i configure stunnel
> as a client, and make the browser send traffic to the accept address,
> shouldnt stunnel encrypt the traffic with TLS and send forward to the
> connect address? if thats true, shouldnt it also decrypt returning
> traffic and send back to the browser?
> when i configured stunnel as both client and server on the same
> computer, it worked, but the browser still gave
> 'ssl_error_no_cypher_overlap' errors. probably because the server side
> decrypted it again before it reached the website's server?
>
> i dont necessarily need it to strip encryption, just use anything
> below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit
> sites that would otherwise give cypher error, and they stay as https
>
> On 12/4/18, Zizhong Zhang <zizazit at protonmail.com> wrote:
> > Hello,
> >
> >> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2
> >> sites.
> >> i heard stunnel cant be configured to always forward to the current
> >> site address dynamically, thats why i would use privoxy.
> >
> > If by "forward to the current site address dynamically" you meant
> "forward
> > to the current address of one specific domain" then stunnel can achieve
> that
> > by adding "delay = yes".
> >
> > However, if I understood correctly, you wanted to let stunnel strip
> > or remove SSL for whatever sites you visit. Then no, I don't think you
> can
> > achieve that with privoxy and stunnel. If that's what you want, I would
> > suggest you use nginx to remove SSL. The following example configuration
> > will let nginx "upgrade" your HTTP request to HTTPS.
> >
> > events {} http { server {
> >     resolver 9.9.9.9;
> >     listen 80;
> >     location / {
> >             proxy_pass https://$host$request_uri;
> >             proxy_set_header Host $http_host;
> >     }
> > }}
> >
> > You can then point any domain to the nginx server (for example, via the
> > hosts file) and visit the site via HTTP. This will make HTTPS-oly servers
> > happy.
> >
> > That won't strip third-party HTTPS:// URL resources like NewIPNow does,
> but
> > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML.
> Also
> > there are "security features" like "Content-Security-Policy" that prevent
> > modern browsers from visiting your SSL-stripped sites, but I believe your
> > out-dated browser will happily ignore those.
> >
> > --Zizhong
> >
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20181205/881e3a21/attachment.html>


More information about the stunnel-users mailing list