[stunnel-users] older browsers, stunnel and privoxy

Sun Dec 9 20:18:39 CET 2018

how can i disable verification though? at first i just want to see it
work at all.
in the howto page, it says this:
"
Stunnel has 3 methods for checking certificates, which are controlled
by the verify option:

    *

      Do not Verify Certificates
          If no verify argument is given, then stunnel will ignore any
certificates offered and will allow all connections.
"

there is no "verify" in the stunnel.conf file, and only the gmail
service examples have verifyChain

On 12/9/18, Yyy <yyy at yyy.id.lv> wrote:
> How would connection between stunnel and server through proxy work? To
> verify servers identity, stunnel needs to receive and verify servers
> certificate and since servers address is defined in config file, anything
> that modifies traffic between stunnel and server will be seen as mitm and
> that will break connectivity.
> It might be possible to disable certificate verification, but in that case
> sslstrip would be better solution. (it would have the same security).
>
> On December 9, 2018 3:30:34 PM EET, kovacs janos <kovacsjanosfasz at gmail.com>
> wrote:
>>i mean a proxy that can work with the address of the actual website
>>opened in the browser, not just specific addresses defined in the
>>config file.
>>
>>at least i thought thats what you meant with this:
>>"In case of client (browser), for each remote (https) server to be
>>connected to, stunnnel config file will need an entry;
>>in browser it will not be possible to use DNS names (all servers will
>>have to be addressed as 127.0.0.1:someport
>>where "someport", is port assigned in stunnel conf server entry accept
>>statement), so most links in webpages will not work."
>>
>>if stunnel can only work with specified addresses, cant a proxy like
>>privoxy be set up at both ends, and stunnel only has to accept and
>>connect to the address of the proxies?
>>
>>On 12/9/18, Yyy <yyy at yyy.id.lv> wrote:
>>> What do you mean by dynamic address proxy?
>>>
>>> On December 8, 2018 12:39:26 AM EET, kovacs janos
>>> <kovacsjanosfasz at gmail.com> wrote:
>>>>if stunnel can only accept from and forward to one address, cant that
>>>>be went around by setting a dynamic address proxy on both sides of
>>>>stunnel? like:
>>>>proxy - stunnel - proxy
>>>>
>>>>although i havent been able to connect to even a single website, but
>>i
>>>>didnt try with specifically the IP
>>>>
>>>>On 12/7/18, yyy <yyy at yyy.id.lv> wrote:
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "kovacs janos" <kovacsjanosfasz at gmail.com>
>>>>> To: "Flo Rance" <trourance at gmail.com>
>>>>> Cc: <stunnel-users at stunnel.org>
>>>>> Sent: Friday, December 07, 2018 2:30 AM
>>>>> Subject: Re: [stunnel-users] older browsers, stunnel and privoxy
>>>>>
>>>>>
>>>>>> now im really not sure, since the wikipedia page on stunnel also
>>>>>> describes the program doing exactly what i need in the Example
>>>>>> scenario section:
>>>>>> https://en.wikipedia.org/wiki/Stunnel#Example_scenario
>>>>>>
>>>>>> "Network traffic from the client initially passes over SSL to the
>>>>>> stunnel application, which transparently encrypts/decrypts traffic
>>>>and
>>>>>> forwards unsecured traffic to port 25 locally. The mail server
>>sees
>>>>a
>>>>>> non-SSL mail client. "
>>>>>>
>>>>>> only difference is, i need it to forward "unsecured traffic" to my
>>>>>> browser client, not a server. are you all sure its really not
>>>>>> possible?
>>>>>>
>>>>> It is possible with the same limitiations as with server case.
>>>>> In case of server, there is one server, which accepts incoming
>>>>connections
>>>>> (unencrypted) and stunnel accepts unencrypted
>>>>> connections for that (one) server and decrypts and forwards them.
>>>>There is
>>>>> only one server, which gets connected by stunnel.
>>>>>
>>>>> In case of client (browser), for each remote (https) server to be
>>>>connected
>>>>> to, stunnnel config file will need an entry;
>>>>> in browser it will not be possible to use DNS names (all servers
>>will
>>>>have
>>>>> to be addressed as 127.0.0.1:someport
>>>>> where "someport", is port assigned in stunnel conf server entry
>>>>accept
>>>>> statement), so most links in webpages will not work.
>>>>> It may be feasible for small number of servers, which does not
>>links
>>>>any
>>>>> external resources.
>>>>>
>>>>> _______________________________________________
>>>>> stunnel-users mailing list
>>>>> stunnel-users at stunnel.org
>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>
>>>
>>> --
>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>