[stunnel-users] older browsers, stunnel and privoxy

Peter Pentchev roam at ringlet.net
Fri Dec 21 12:58:35 CET 2018

On Fri, Dec 21, 2018 at 02:46:29AM +0100, Javier wrote:
> On Fri, 21 Dec 2018 00:01:08 +0100
> kovacs janos <kovacsjanosfasz at gmail.com> wrote:
> > okay, so that means i should be able to connect to a website's server
> > with only stunnel, and only its client side, even if i have to specify
> > the destination IP of the server? i tried that and didnt seem to work
> > either. i wrote the website's IP address after 'connect', tried to
> > open the website in browser, and it wasnt working. but maybe i just
> > did something wrong, thank you for the explanation though
> > 
> Hi,
> Stunnel is not for web browsing through it.
> We already gave you reasons and explanations why that won't work.
> Read them again.

Hm, there's no reason why stunnel would not work like that for
a predetermined set of hosts with known addresses.  I just set it up
with a configuration section like this - but see below about me
NOT recommending this way for servers that are not under your control:

client = yes
accept =
connect =
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = wfe0.nyi.freebsd.org

...and I added "www.freebsd.org" to the list of hostnames for
the address in the system's hosts file (/etc/hosts on
Unix-like operating systems, windows\System32\Drivers\etc\hosts on Windows).
Then, when I ask for "http://www.freebsd.org/" (without HTTPS) in
a browser or cURL or whatever, it gets the address from the hosts
file, connects to, then stunnel establishes a tunnel to
the FreeBSD webserver's IP address, verifies its certificate, and
lets the browser send its plaintext HTTP request there.

Of course, as I noted in the previous message, this will only let
browsers connect through stunnel to hosts that have previously been
defined in the stunnel configuration and in the hosts file.  Also,
since the hosts file takes over the resolving of the host name to
IP address, it is your responsibility now to check whether www.freebsd.org
changed its IP address; it is also your responsibility now to check
whether the Common Name of the actual server also changed
(wfe0.nyi.freebsd.org in this case) - chasing down DNS CNAME records
can be... interesting sometimes.

All in all, I would have to say that I really do not recommend going
down this road, especially for websites that are not under your control;
this here was done merely as a proof of concept.


Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20181221/b9943d42/attachment.sig>

More information about the stunnel-users mailing list