thank you for suggestions, but can someone tell me in what cases stunnel can be used? i can connect to http websites through it, but https doesnt work, even if it would otherwise do. i try to connect to 'https://via.hypothes.is/' like this, which i can access in browser without any proxy: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = via.hypothes.is:443
i get these logs: LOG5[1]: Service [Tunnel_in] accepted connection from 127.0.0.1:1788 LOG5[1]: s_connect: connected 104.20.214.15:443 LOG5[1]: Service [Tunnel_in] connected remote server from 192.168.0.3:1789 LOG5[1]: Connection closed: 197 byte(s) sent to TLS, 332 byte(s) sent to socket and the browser just shows a 'server not found' error. with http sites its the same logs except the IP and bytes, and it loads in the browser. On 12/5/18, Flo Rance <[email protected]> wrote: > I would recommend to use squid which is able to do SSL bump. > > https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit > > Therefore, you'll be able to connect with TLS1.0 to squid and the proxy > will establish a TLSv1.2 to the final destination. > > Regards, > Flo > > On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <[email protected]> > wrote: > >> well, what i meant is forwarding to the current address the browser >> connects to, so basically browsing through stunnel. >> >> is it really that complicated to achieve that? if i configure stunnel >> as a client, and make the browser send traffic to the accept address, >> shouldnt stunnel encrypt the traffic with TLS and send forward to the >> connect address? if thats true, shouldnt it also decrypt returning >> traffic and send back to the browser? >> when i configured stunnel as both client and server on the same >> computer, it worked, but the browser still gave >> 'ssl_error_no_cypher_overlap' errors. probably because the server side >> decrypted it again before it reached the website's server? >> >> i dont necessarily need it to strip encryption, just use anything >> below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit >> sites that would otherwise give cypher error, and they stay as https >> >> On 12/4/18, Zizhong Zhang <[email protected]> wrote: >> > Hello, >> > >> >> im trying to make older browsers be able to display TLS 1.1 and TLS >> >> 1.2 >> >> sites. >> >> i heard stunnel cant be configured to always forward to the current >> >> site address dynamically, thats why i would use privoxy. >> > >> > If by "forward to the current site address dynamically" you meant >> "forward >> > to the current address of one specific domain" then stunnel can achieve >> that >> > by adding "delay = yes". >> > >> > However, if I understood correctly, you wanted to let stunnel strip >> > or remove SSL for whatever sites you visit. Then no, I don't think you >> can >> > achieve that with privoxy and stunnel. If that's what you want, I would >> > suggest you use nginx to remove SSL. The following example >> > configuration >> > will let nginx "upgrade" your HTTP request to HTTPS. >> > >> > events {} http { server { >> > resolver 9.9.9.9; >> > listen 80; >> > location / { >> > proxy_pass https://$host$request_uri; >> > proxy_set_header Host $http_host; >> > } >> > }} >> > >> > You can then point any domain to the nginx server (for example, via the >> > hosts file) and visit the site via HTTP. This will make HTTPS-oly >> > servers >> > happy. >> > >> > That won't strip third-party HTTPS:// URL resources like NewIPNow does, >> but >> > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. >> Also >> > there are "security features" like "Content-Security-Policy" that >> > prevent >> > modern browsers from visiting your SSL-stripped sites, but I believe >> > your >> > out-dated browser will happily ignore those. >> > >> > --Zizhong >> > >> _______________________________________________ >> stunnel-users mailing list >> [email protected] >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >> > _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
