[stunnel-users] older browsers, stunnel and privoxy

• Previous message (by thread): [stunnel-users] older browsers, stunnel and privoxy
• Next message (by thread): [stunnel-users] older browsers, stunnel and privoxy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Dec 30, 2018 at 03:36:56AM +0100, kovacs janos wrote:
> it still doesnt seem to work. i tried it with deviantart.com again.
> configuration:
> client = yes
> accept = 127.0.0.1:80
> connect = 52.85.220.247:443
> verifyChain = yes
> CAfile = ca-certs.pem
> checkHost = *.deviantart.com
> 
> the name after checkHost is the "Common Name" displayed when viewing
> the site's certificate in a browser(lock icon, view certificate). i
> also saved the certificate in case i would need to try the
> "certificate pinning" method. the connect IP is what 'get-site-ip.com'
> says the IP of the website is.
> 
> these are the logs:
> Service [fbsd-www] accepted connection from 127.0.0.1:4121
> s_connect: connected 52.85.220.247:443
> Service [fbsd-www] connected remote server from 192.168.0.3:4122
> SSL_connect: 14077410: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
> Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
> 
> i know i pestered everyone long enough, but i still havent been able
> to connect to anything. without any verification its the same

I'm sorry, my mistake.  In a reply to somebody else on the list
a couple of days later I mentioned that for HTTPS you may also
need to set the "sni = www.deviantart.com" connection option so
that stunnel tells the server "I'm trying to establish an HTTPS
connection to this particular server", which, for HTTPS, may be
important when multiple virtual hosts all live on the same IP
address.

I haven't tried it with stunnel, but I just tried to establish
a TLS connection to the IP address you specified using "openssl
s_client" and it failed, and then I tried to specify
the "-servername www.deviantart.com" s_client option, and
it worked.  So try adding "sni = www.deviantart.com" to your
stunnel configuration section and see if it helps.

Sorry again, I should have thought about this from the start;
I was misled by the fact that the FreeBSD webserver did not
require the Server Name Indication extension to work, but
apparently DeviantArt does.

G'luck,
Peter

-- 
Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190104/b5245528/attachment.sig>

• Previous message (by thread): [stunnel-users] older browsers, stunnel and privoxy
• Next message (by thread): [stunnel-users] older browsers, stunnel and privoxy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]