well, what i meant is forwarding to the current address the browser connects to, so basically browsing through stunnel.
is it really that complicated to achieve that? if i configure stunnel as a client, and make the browser send traffic to the accept address, shouldnt stunnel encrypt the traffic with TLS and send forward to the connect address? if thats true, shouldnt it also decrypt returning traffic and send back to the browser? when i configured stunnel as both client and server on the same computer, it worked, but the browser still gave 'ssl_error_no_cypher_overlap' errors. probably because the server side decrypted it again before it reached the website's server? i dont necessarily need it to strip encryption, just use anything below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit sites that would otherwise give cypher error, and they stay as https On 12/4/18, Zizhong Zhang <[email protected]> wrote: > Hello, > >> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 >> sites. >> i heard stunnel cant be configured to always forward to the current >> site address dynamically, thats why i would use privoxy. > > If by "forward to the current site address dynamically" you meant "forward > to the current address of one specific domain" then stunnel can achieve that > by adding "delay = yes". > > However, if I understood correctly, you wanted to let stunnel strip > or remove SSL for whatever sites you visit. Then no, I don't think you can > achieve that with privoxy and stunnel. If that's what you want, I would > suggest you use nginx to remove SSL. The following example configuration > will let nginx "upgrade" your HTTP request to HTTPS. > > events {} http { server { > resolver 9.9.9.9; > listen 80; > location / { > proxy_pass https://$host$request_uri; > proxy_set_header Host $http_host; > } > }} > > You can then point any domain to the nginx server (for example, via the > hosts file) and visit the site via HTTP. This will make HTTPS-oly servers > happy. > > That won't strip third-party HTTPS:// URL resources like NewIPNow does, but > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also > there are "security features" like "Content-Security-Policy" that prevent > modern browsers from visiting your SSL-stripped sites, but I believe your > out-dated browser will happily ignore those. > > --Zizhong > _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
