[stunnel-users] older browsers, stunnel and privoxy (kovacs janos) - stunnel-users Digest, Vol 173, Issue 7

Thomas GMX thomas.s.wolfsburg at gmx.de
Fri Dec 7 13:21:01 CET 2018 

Hi  Janos,

mail (SMTP / POP / IMAP) are other protocols as HTTPS.
I was not able to connect via sTunnel to a server via HTTPS - and this was the reason to create and use my HTTPSProxy.
HTTPSProxy is based on this code (local front- and rear proxy are connected directly without Proxomitron):

https://prxbx.com/forums/showthread.php?tid=2172
https://prxbx.com/forums/showthread.php?tid=2191&pid=19252#pid19252

You can build your own release with python if you do not trust the versions offered by me or HeinoGanda on MSFN.

Regards
Thomas S.


-----Original Message-----
From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of stunnel-users-request at stunnel.org
Sent: Friday, December 07, 2018 12:00 PM
To: stunnel-users at stunnel.org
Subject: stunnel-users Digest, Vol 173, Issue 7

Send stunnel-users mailing list submissions to
	stunnel-users at stunnel.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
or, via email, send a message with subject or body 'help' to
	stunnel-users-request at stunnel.org

You can reach the person managing the list at
	stunnel-users-owner at stunnel.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of stunnel-users digest..."


Today's Topics:

   1. Re: older browsers, stunnel and privoxy (kovacs janos)


----------------------------------------------------------------------

Message: 1
Date: Fri, 7 Dec 2018 01:30:21 +0100
From: kovacs janos <kovacsjanosfasz at gmail.com>
To: Flo Rance <trourance at gmail.com>
Cc: zizazit at protonmail.com, stunnel-users at stunnel.org
Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
Message-ID:
	<CAOchpkp+5YDig_XpWPFVdP9zQ-L2UN10p8Wzsm9ggv2iuWpU8Q at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

now im really not sure, since the wikipedia page on stunnel also
describes the program doing exactly what i need in the Example
scenario section:
https://en.wikipedia.org/wiki/Stunnel#Example_scenario

"Network traffic from the client initially passes over SSL to the
stunnel application, which transparently encrypts/decrypts traffic and
forwards unsecured traffic to port 25 locally. The mail server sees a
non-SSL mail client. "

only difference is, i need it to forward "unsecured traffic" to my
browser client, not a server. are you all sure its really not
possible?

On 12/5/18, kovacs janos <kovacsjanosfasz at gmail.com> wrote:
> thank you for suggestions, but can someone tell me in what cases
> stunnel can be used?
> i can connect to http websites through it, but https doesnt work, even
> if it would otherwise do.
> i try to connect to 'https://via.hypothes.is/' like this, which i can
> access in browser without any proxy:
> [Tunnel_in]
> client = yes
> accept = 127.0.0.1:443
> connect = via.hypothes.is:443
>
> i get these logs:
> LOG5[1]: Service [Tunnel_in] accepted connection from 127.0.0.1:1788
> LOG5[1]: s_connect: connected 104.20.214.15:443
> LOG5[1]: Service [Tunnel_in] connected remote server from 192.168.0.3:1789
> LOG5[1]: Connection closed: 197 byte(s) sent to TLS, 332 byte(s) sent to
> socket
>
> and the browser just shows a 'server not found' error.
> with http sites its the same logs except the IP and bytes, and it
> loads in the browser.
>
> On 12/5/18, Flo Rance <trourance at gmail.com> wrote:
>> I would recommend to use squid which is able to do SSL bump.
>>
>> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>>
>> Therefore, you'll be able to connect with TLS1.0 to squid and the proxy
>> will establish a TLSv1.2 to the final destination.
>>
>> Regards,
>> Flo
>>
>> On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <kovacsjanosfasz at gmail.com>
>> wrote:
>>
>>> well, what i meant is forwarding to the current address the browser
>>> connects to, so basically browsing through stunnel.
>>>
>>> is it really that complicated to achieve that? if i configure stunnel
>>> as a client, and make the browser send traffic to the accept address,
>>> shouldnt stunnel encrypt the traffic with TLS and send forward to the
>>> connect address? if thats true, shouldnt it also decrypt returning
>>> traffic and send back to the browser?
>>> when i configured stunnel as both client and server on the same
>>> computer, it worked, but the browser still gave
>>> 'ssl_error_no_cypher_overlap' errors. probably because the server side
>>> decrypted it again before it reached the website's server?
>>>
>>> i dont necessarily need it to strip encryption, just use anything
>>> below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit
>>> sites that would otherwise give cypher error, and they stay as https
>>>
>>> On 12/4/18, Zizhong Zhang <zizazit at protonmail.com> wrote:
>>> > Hello,
>>> >
>>> >> im trying to make older browsers be able to display TLS 1.1 and TLS
>>> >> 1.2
>>> >> sites.
>>> >> i heard stunnel cant be configured to always forward to the current
>>> >> site address dynamically, thats why i would use privoxy.
>>> >
>>> > If by "forward to the current site address dynamically" you meant
>>> "forward
>>> > to the current address of one specific domain" then stunnel can
>>> > achieve
>>> that
>>> > by adding "delay = yes".
>>> >
>>> > However, if I understood correctly, you wanted to let stunnel strip
>>> > or remove SSL for whatever sites you visit. Then no, I don't think you
>>> can
>>> > achieve that with privoxy and stunnel. If that's what you want, I
>>> > would
>>> > suggest you use nginx to remove SSL. The following example
>>> > configuration
>>> > will let nginx "upgrade" your HTTP request to HTTPS.
>>> >
>>> > events {} http { server {
>>> >     resolver 9.9.9.9;
>>> >     listen 80;
>>> >     location / {
>>> >             proxy_pass https://$host$request_uri;
>>> >             proxy_set_header Host $http_host;
>>> >     }
>>> > }}
>>> >
>>> > You can then point any domain to the nginx server (for example, via
>>> > the
>>> > hosts file) and visit the site via HTTP. This will make HTTPS-oly
>>> > servers
>>> > happy.
>>> >
>>> > That won't strip third-party HTTPS:// URL resources like NewIPNow
>>> > does,
>>> but
>>> > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML.
>>> Also
>>> > there are "security features" like "Content-Security-Policy" that
>>> > prevent
>>> > modern browsers from visiting your SSL-stripped sites, but I believe
>>> > your
>>> > out-dated browser will happily ignore those.
>>> >
>>> > --Zizhong
>>> >
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>
>


------------------------------

Subject: Digest Footer

_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


------------------------------

End of stunnel-users Digest, Vol 173, Issue 7
*********************************************

More information about the stunnel-users mailing list