[stunnel-users] older browsers with modern HTTPS - stunnel-users Digest, Vol 173, Issue 4

Thomas GMX thomas.s.wolfsburg at gmx.de
Wed Dec 5 17:31:09 CET 2018 

Hi Janos,

you can use a local proxy to "translate" HTTPS TLS1.0 to TLS1.2
Look here:

https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-aka-tls/?page=7&tab=comments#comment-1155858

HTTPSProxy (and tools) manage the whole traffic locally (in- and outgoing HTTPS), but needs manually configuration as described in the help files.
If you have questions please ask in this forum.

Regards Thomas S.



-----Original Message-----
From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of stunnel-users-request at stunnel.org
Sent: Wednesday, December 05, 2018 10:12 AM
To: stunnel-users at stunnel.org
Subject: stunnel-users Digest, Vol 173, Issue 4

Send stunnel-users mailing list submissions to
	stunnel-users at stunnel.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
or, via email, send a message with subject or body 'help' to
	stunnel-users-request at stunnel.org

You can reach the person managing the list at
	stunnel-users-owner at stunnel.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of stunnel-users digest..."


Today's Topics:

   1. Re: older browsers, stunnel and privoxy (kovacs janos)
   2. Re: older browsers, stunnel and privoxy (Zizhong Zhang)
   3. Re: older browsers, stunnel and privoxy (kovacs janos)
   4. Re: older browsers, stunnel and privoxy (Flo Rance)


----------------------------------------------------------------------

Message: 1
Date: Tue, 4 Dec 2018 19:27:15 +0100
From: kovacs janos <kovacsjanosfasz at gmail.com>
To: Flo Rance <trourance at gmail.com>
Cc: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
Message-ID:
	<CAOchpkrOTmoAgCpv4fK19NhZeP-5-JgjX3EASFcfQbMVydR2yA at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

well yes, im pretty sure the same encryption is needed in requests and
the returned page, otherwise it would probably get a no cypher overlap
error.

so i basically need stunnel to encrypt outgoing requests, and decrypt
the returned things and only on the browser side of connection.

there's a good reason why they are deprecated, but it would be better
to add this functionality this way if possible, rather than change
whole programs, especially when its the purpose of stunnel, according
to the description

On 12/4/18, Flo Rance <trourance at gmail.com> wrote:
> This is not what I've understood from your first description. You would
> like to bridge TLSv1 to TLSv1.1 or TLSv1.2 before sending requests to a web
> proxy.
>
> This is why I don't think stunnel is intended for that.
>
> That said, if SSLV3 and TLSv1 have been deprecated, there's a good reason
> and you should seriously think to update your tools.
>
> Regards,
> Flo
>
> On Tue, Dec 4, 2018 at 3:18 PM kovacs janos <kovacsjanosfasz at gmail.com>
> wrote:
>
>> well, it says this on the first line of the website:
>> "Stunnel is a proxy designed to add TLS encryption functionality to
>> existing clients and servers without any changes in the programs'
>> code."
>>
>> i just want to add TLS functionality to client browsers which dont
>> have it. i only need stunnel to decrypt TLS traffic going back to the
>> browser.
>>
>> On 12/4/18, Flo Rance <trourance at gmail.com> wrote:
>> > Sorry I didn't read it correctly. I don't think this is something
>> > stunnel
>> > can handle.
>> >
>> > Regards,
>> > Flo
>> >
>> > On Mon, Dec 3, 2018 at 9:31 PM kovacs janos <kovacsjanosfasz at gmail.com>
>> > wrote:
>> >
>> >> thank you for  the reply,
>> >> its the address and port where privoxy listens for requests.
>> >> from the config file:
>> >> "#  4.1. listen-address
>> >> #  ====================
>> >> #
>> >> #  Specifies:
>> >> #
>> >> #      The IP address and TCP port on which Privoxy will listen for
>> >> #      client requests."
>> >> and under it:
>> >>
>> >> listen-address  127.0.0.1:8118
>> >>
>> >> On 12/3/18, Flo Rance <trourance at gmail.com> wrote:
>> >> > Hi,
>> >> >
>> >> > It's not clear in your description what is running on 8118 local
>> >> > port.
>> >> >
>> >> > Regards,
>> >> > Flo
>> >> >
>> >> > On Mon, Dec 3, 2018 at 2:40 PM kovacs janos <
>> kovacsjanosfasz at gmail.com>
>> >> > wrote:
>> >> >
>> >> >> sorry to bother,
>> >> >> im trying to make older browsers be able to display TLS 1.1 and TLS
>> >> >> 1.2
>> >> >> sites.
>> >> >> i heard stunnel cant be configured to always forward to the current
>> >> >> site address dynamically, thats why i would use privoxy.
>> >> >> the browser is configured to send to:
>> >> >> 127.0.0.1  443
>> >> >>
>> >> >> stunnel config has this at the end:
>> >> >> [Tunnel_in]
>> >> >> client = yes
>> >> >> accept = 127.0.0.1:443
>> >> >> connect = 127.0.0.1:8118
>> >> >> verifyChain = yes
>> >> >> CAfile = ca-certs.pem
>> >> >> checkHost = localhost
>> >> >>
>> >> >> 127.0.0.1:8118 is the privoxy address.
>> >> >> this is what stunnel writes:
>> >> >> LOG5[main]: Configuration successful
>> >> >> LOG5[0]: Service [Tunnel_in] accepted connection from
>> >> >> 127.0.0.1:3261
>> >> >> LOG5[0]: s_connect: connected 127.0.0.1:8118
>> >> >> LOG5[0]: Service [Tunnel_in] connected remote server from
>> >> 127.0.0.1:3262
>> >> >>
>> >> >> and the browser infinitely loads, and never loads anything or
>> >> >> leaves
>> >> >> the
>> >> >> page.
>> >> >> if i remove the last 3 lines, its the same just with this line
>> >> >> added:
>> >> >> LOG4[main]: Service [Tunnel_in] needs authentication to prevent
>> >> >> MITM
>> >> >> attacks
>> >> >>
>> >> >> but it doesnt give an error or anything.
>> >> >>
>> >> >> with a configuration like:
>> >> >> [Tunnel_out]
>> >> >> client = no
>> >> >> accept = 127.0.0.1:443
>> >> >> connect = 127.0.0.1:8118
>> >> >> cert = stunnel.pem
>> >> >>
>> >> >> this is what it gives:
>> >> >> LOG5[3]: Service [Tunnel_out] accepted connection from
>> 127.0.0.1:3294
>> >> >> LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL
>> >> >> routines:SSL23_GET_CLIENT_HELLO:https proxy request
>> >> >> LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to
>> >> >> socket
>> >> >>
>> >> >> and browser gives a server not found error immediately. im not even
>> >> >> sure if i should use client or server configuration in a case like
>> >> >> this, but none of them works anyway. all i would need is for my
>> >> >> browser to get the pages decrypted, or at least in less than
>> >> >> TLS1.1.
>> >> >> like how on newipnow.com i can access sites with any encryption,
>> since
>> >> >> they are sent to the browser without encryption. the browser just
>> >> >> gives an "unencrypted tunnel" warning, which is how i found
>> >> >> stunnel,
>> >> >> and which is exactly what i need, just locally.
>> >> >> _______________________________________________
>> >> >> stunnel-users mailing list
>> >> >> stunnel-users at stunnel.org
>> >> >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>> >> >>
>> >> >
>> >>
>> >
>>
>


------------------------------

Message: 2
Date: Tue, 04 Dec 2018 19:16:53 +0000
From: Zizhong Zhang <zizazit at protonmail.com>
To: kovacs janos <kovacsjanosfasz at gmail.com>
Cc: "stunnel-users at stunnel.org" <stunnel-users at stunnel.org>
Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
Message-ID:
	<mSx8WOjppmpWbvW5ETuPUXO048xh4PcPTtZPpOpzkrecueeSUtjQQx13FhtLO24lkyNXRPe_lNpMV8ko6RMEvowOx7mg6rl_1hwj43QAxWw=@protonmail.com>
	
Content-Type: text/plain; charset=UTF-8

Hello,

> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites.
> i heard stunnel cant be configured to always forward to the current
> site address dynamically, thats why i would use privoxy.

If by "forward to the current site address dynamically" you meant "forward to the current address of one specific domain" then stunnel can achieve that by adding "delay = yes".

However, if I understood correctly, you wanted to let stunnel strip
or remove SSL for whatever sites you visit. Then no, I don't think you can achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS.

events {} http { server {
    resolver 9.9.9.9;
    listen 80;
    location / {
            proxy_pass https://$host$request_uri;
            proxy_set_header Host $http_host;
    }
}}

You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy.

That won't strip third-party HTTPS:// URL resources like NewIPNow does, but you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those.

--Zizhong


------------------------------

Message: 3
Date: Tue, 4 Dec 2018 21:37:53 +0100
From: kovacs janos <kovacsjanosfasz at gmail.com>
To: Zizhong Zhang <zizazit at protonmail.com>
Cc: "stunnel-users at stunnel.org" <stunnel-users at stunnel.org>
Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
Message-ID:
	<CAOchpkq7vG8vHBCrbVn6d4Eh7M2rd6jEob_huhoG=ZefJnpHLw at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

well, what i meant is forwarding to the current address the browser
connects to, so basically browsing through stunnel.

is it really that complicated to achieve that? if i configure stunnel
as a client, and make the browser send traffic to the accept address,
shouldnt stunnel encrypt the traffic with TLS and send forward to the
connect address? if thats true, shouldnt it also decrypt returning
traffic and send back to the browser?
when i configured stunnel as both client and server on the same
computer, it worked, but the browser still gave
'ssl_error_no_cypher_overlap' errors. probably because the server side
decrypted it again before it reached the website's server?

i dont necessarily need it to strip encryption, just use anything
below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit
sites that would otherwise give cypher error, and they stay as https

On 12/4/18, Zizhong Zhang <zizazit at protonmail.com> wrote:
> Hello,
>
>> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2
>> sites.
>> i heard stunnel cant be configured to always forward to the current
>> site address dynamically, thats why i would use privoxy.
>
> If by "forward to the current site address dynamically" you meant "forward
> to the current address of one specific domain" then stunnel can achieve that
> by adding "delay = yes".
>
> However, if I understood correctly, you wanted to let stunnel strip
> or remove SSL for whatever sites you visit. Then no, I don't think you can
> achieve that with privoxy and stunnel. If that's what you want, I would
> suggest you use nginx to remove SSL. The following example configuration
> will let nginx "upgrade" your HTTP request to HTTPS.
>
> events {} http { server {
>     resolver 9.9.9.9;
>     listen 80;
>     location / {
>             proxy_pass https://$host$request_uri;
>             proxy_set_header Host $http_host;
>     }
> }}
>
> You can then point any domain to the nginx server (for example, via the
> hosts file) and visit the site via HTTP. This will make HTTPS-oly servers
> happy.
>
> That won't strip third-party HTTPS:// URL resources like NewIPNow does, but
> you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also
> there are "security features" like "Content-Security-Policy" that prevent
> modern browsers from visiting your SSL-stripped sites, but I believe your
> out-dated browser will happily ignore those.
>
> --Zizhong
>


------------------------------

Message: 4
Date: Wed, 5 Dec 2018 10:12:06 +0100
From: Flo Rance <trourance at gmail.com>
To: kovacsjanosfasz at gmail.com
Cc: zizazit at protonmail.com, stunnel-users at stunnel.org
Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
Message-ID:
	<CAHogYcV+ig2-2u8CWYbbqH_AnkiZNzqM9etx=jHj3N+nug-FpQ at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

I would recommend to use squid which is able to do SSL bump.

https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Therefore, you'll be able to connect with TLS1.0 to squid and the proxy
will establish a TLSv1.2 to the final destination.

Regards,
Flo

On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <kovacsjanosfasz at gmail.com>
wrote:

> well, what i meant is forwarding to the current address the browser
> connects to, so basically browsing through stunnel.
>
> is it really that complicated to achieve that? if i configure stunnel
> as a client, and make the browser send traffic to the accept address,
> shouldnt stunnel encrypt the traffic with TLS and send forward to the
> connect address? if thats true, shouldnt it also decrypt returning
> traffic and send back to the browser?
> when i configured stunnel as both client and server on the same
> computer, it worked, but the browser still gave
> 'ssl_error_no_cypher_overlap' errors. probably because the server side
> decrypted it again before it reached the website's server?
>
> i dont necessarily need it to strip encryption, just use anything
> below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit
> sites that would otherwise give cypher error, and they stay as https
>
> On 12/4/18, Zizhong Zhang <zizazit at protonmail.com> wrote:
> > Hello,
> >
> >> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2
> >> sites.
> >> i heard stunnel cant be configured to always forward to the current
> >> site address dynamically, thats why i would use privoxy.
> >
> > If by "forward to the current site address dynamically" you meant
> "forward
> > to the current address of one specific domain" then stunnel can achieve
> that
> > by adding "delay = yes".
> >
> > However, if I understood correctly, you wanted to let stunnel strip
> > or remove SSL for whatever sites you visit. Then no, I don't think you
> can
> > achieve that with privoxy and stunnel. If that's what you want, I would
> > suggest you use nginx to remove SSL. The following example configuration
> > will let nginx "upgrade" your HTTP request to HTTPS.
> >
> > events {} http { server {
> >     resolver 9.9.9.9;
> >     listen 80;
> >     location / {
> >             proxy_pass https://$host$request_uri;
> >             proxy_set_header Host $http_host;
> >     }
> > }}
> >
> > You can then point any domain to the nginx server (for example, via the
> > hosts file) and visit the site via HTTP. This will make HTTPS-oly servers
> > happy.
> >
> > That won't strip third-party HTTPS:// URL resources like NewIPNow does,
> but
> > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML.
> Also
> > there are "security features" like "Content-Security-Policy" that prevent
> > modern browsers from visiting your SSL-stripped sites, but I believe your
> > out-dated browser will happily ignore those.
> >
> > --Zizhong
> >
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20181205/881e3a21/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


------------------------------

End of stunnel-users Digest, Vol 173, Issue 4
*********************************************

More information about the stunnel-users mailing list