thank you but i know about it, im "Youse" on that forum. i wanted to try stunnel because it seems safer and generally accepted while promising about the same thing, and it works on my OS too.
On 12/5/18, Thomas GMX <[email protected]> wrote: > Hi Janos, > > you can use a local proxy to "translate" HTTPS TLS1.0 to TLS1.2 > Look here: > > https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-aka-tls/?page=7&tab=comments#comment-1155858 > > HTTPSProxy (and tools) manage the whole traffic locally (in- and outgoing > HTTPS), but needs manually configuration as described in the help files. > If you have questions please ask in this forum. > > Regards Thomas S. > > > > -----Original Message----- > From: stunnel-users [mailto:[email protected]] On Behalf Of > [email protected] > Sent: Wednesday, December 05, 2018 10:12 AM > To: [email protected] > Subject: stunnel-users Digest, Vol 173, Issue 4 > > Send stunnel-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of stunnel-users digest..." > > > Today's Topics: > > 1. Re: older browsers, stunnel and privoxy (kovacs janos) > 2. Re: older browsers, stunnel and privoxy (Zizhong Zhang) > 3. Re: older browsers, stunnel and privoxy (kovacs janos) > 4. Re: older browsers, stunnel and privoxy (Flo Rance) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 4 Dec 2018 19:27:15 +0100 > From: kovacs janos <[email protected]> > To: Flo Rance <[email protected]> > Cc: [email protected] > Subject: Re: [stunnel-users] older browsers, stunnel and privoxy > Message-ID: > <caochpkrotmoagcpv4fk19nhzep-5-jgjx3easfcfqbmvydr...@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > well yes, im pretty sure the same encryption is needed in requests and > the returned page, otherwise it would probably get a no cypher overlap > error. > > so i basically need stunnel to encrypt outgoing requests, and decrypt > the returned things and only on the browser side of connection. > > there's a good reason why they are deprecated, but it would be better > to add this functionality this way if possible, rather than change > whole programs, especially when its the purpose of stunnel, according > to the description > > On 12/4/18, Flo Rance <[email protected]> wrote: >> This is not what I've understood from your first description. You would >> like to bridge TLSv1 to TLSv1.1 or TLSv1.2 before sending requests to a >> web >> proxy. >> >> This is why I don't think stunnel is intended for that. >> >> That said, if SSLV3 and TLSv1 have been deprecated, there's a good reason >> and you should seriously think to update your tools. >> >> Regards, >> Flo >> >> On Tue, Dec 4, 2018 at 3:18 PM kovacs janos <[email protected]> >> wrote: >> >>> well, it says this on the first line of the website: >>> "Stunnel is a proxy designed to add TLS encryption functionality to >>> existing clients and servers without any changes in the programs' >>> code." >>> >>> i just want to add TLS functionality to client browsers which dont >>> have it. i only need stunnel to decrypt TLS traffic going back to the >>> browser. >>> >>> On 12/4/18, Flo Rance <[email protected]> wrote: >>> > Sorry I didn't read it correctly. I don't think this is something >>> > stunnel >>> > can handle. >>> > >>> > Regards, >>> > Flo >>> > >>> > On Mon, Dec 3, 2018 at 9:31 PM kovacs janos <[email protected]> >>> > wrote: >>> > >>> >> thank you for the reply, >>> >> its the address and port where privoxy listens for requests. >>> >> from the config file: >>> >> "# 4.1. listen-address >>> >> # ==================== >>> >> # >>> >> # Specifies: >>> >> # >>> >> # The IP address and TCP port on which Privoxy will listen for >>> >> # client requests." >>> >> and under it: >>> >> >>> >> listen-address 127.0.0.1:8118 >>> >> >>> >> On 12/3/18, Flo Rance <[email protected]> wrote: >>> >> > Hi, >>> >> > >>> >> > It's not clear in your description what is running on 8118 local >>> >> > port. >>> >> > >>> >> > Regards, >>> >> > Flo >>> >> > >>> >> > On Mon, Dec 3, 2018 at 2:40 PM kovacs janos < >>> [email protected]> >>> >> > wrote: >>> >> > >>> >> >> sorry to bother, >>> >> >> im trying to make older browsers be able to display TLS 1.1 and TLS >>> >> >> 1.2 >>> >> >> sites. >>> >> >> i heard stunnel cant be configured to always forward to the current >>> >> >> site address dynamically, thats why i would use privoxy. >>> >> >> the browser is configured to send to: >>> >> >> 127.0.0.1 443 >>> >> >> >>> >> >> stunnel config has this at the end: >>> >> >> [Tunnel_in] >>> >> >> client = yes >>> >> >> accept = 127.0.0.1:443 >>> >> >> connect = 127.0.0.1:8118 >>> >> >> verifyChain = yes >>> >> >> CAfile = ca-certs.pem >>> >> >> checkHost = localhost >>> >> >> >>> >> >> 127.0.0.1:8118 is the privoxy address. >>> >> >> this is what stunnel writes: >>> >> >> LOG5[main]: Configuration successful >>> >> >> LOG5[0]: Service [Tunnel_in] accepted connection from >>> >> >> 127.0.0.1:3261 >>> >> >> LOG5[0]: s_connect: connected 127.0.0.1:8118 >>> >> >> LOG5[0]: Service [Tunnel_in] connected remote server from >>> >> 127.0.0.1:3262 >>> >> >> >>> >> >> and the browser infinitely loads, and never loads anything or >>> >> >> leaves >>> >> >> the >>> >> >> page. >>> >> >> if i remove the last 3 lines, its the same just with this line >>> >> >> added: >>> >> >> LOG4[main]: Service [Tunnel_in] needs authentication to prevent >>> >> >> MITM >>> >> >> attacks >>> >> >> >>> >> >> but it doesnt give an error or anything. >>> >> >> >>> >> >> with a configuration like: >>> >> >> [Tunnel_out] >>> >> >> client = no >>> >> >> accept = 127.0.0.1:443 >>> >> >> connect = 127.0.0.1:8118 >>> >> >> cert = stunnel.pem >>> >> >> >>> >> >> this is what it gives: >>> >> >> LOG5[3]: Service [Tunnel_out] accepted connection from >>> 127.0.0.1:3294 >>> >> >> LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL >>> >> >> routines:SSL23_GET_CLIENT_HELLO:https proxy request >>> >> >> LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to >>> >> >> socket >>> >> >> >>> >> >> and browser gives a server not found error immediately. im not even >>> >> >> sure if i should use client or server configuration in a case like >>> >> >> this, but none of them works anyway. all i would need is for my >>> >> >> browser to get the pages decrypted, or at least in less than >>> >> >> TLS1.1. >>> >> >> like how on newipnow.com i can access sites with any encryption, >>> since >>> >> >> they are sent to the browser without encryption. the browser just >>> >> >> gives an "unencrypted tunnel" warning, which is how i found >>> >> >> stunnel, >>> >> >> and which is exactly what i need, just locally. >>> >> >> _______________________________________________ >>> >> >> stunnel-users mailing list >>> >> >> [email protected] >>> >> >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>> >> >> >>> >> > >>> >> >>> > >>> >> > > > ------------------------------ > > Message: 2 > Date: Tue, 04 Dec 2018 19:16:53 +0000 > From: Zizhong Zhang <[email protected]> > To: kovacs janos <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: [stunnel-users] older browsers, stunnel and privoxy > Message-ID: > > <mSx8WOjppmpWbvW5ETuPUXO048xh4PcPTtZPpOpzkrecueeSUtjQQx13FhtLO24lkyNXRPe_lNpMV8ko6RMEvowOx7mg6rl_1hwj43QAxWw=@protonmail.com> > > Content-Type: text/plain; charset=UTF-8 > > Hello, > >> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 >> sites. >> i heard stunnel cant be configured to always forward to the current >> site address dynamically, thats why i would use privoxy. > > If by "forward to the current site address dynamically" you meant "forward > to the current address of one specific domain" then stunnel can achieve that > by adding "delay = yes". > > However, if I understood correctly, you wanted to let stunnel strip > or remove SSL for whatever sites you visit. Then no, I don't think you can > achieve that with privoxy and stunnel. If that's what you want, I would > suggest you use nginx to remove SSL. The following example configuration > will let nginx "upgrade" your HTTP request to HTTPS. > > events {} http { server { > resolver 9.9.9.9; > listen 80; > location / { > proxy_pass https://$host$request_uri; > proxy_set_header Host $http_host; > } > }} > > You can then point any domain to the nginx server (for example, via the > hosts file) and visit the site via HTTP. This will make HTTPS-oly servers > happy. > > That won't strip third-party HTTPS:// URL resources like NewIPNow does, but > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also > there are "security features" like "Content-Security-Policy" that prevent > modern browsers from visiting your SSL-stripped sites, but I believe your > out-dated browser will happily ignore those. > > --Zizhong > > > ------------------------------ > > Message: 3 > Date: Tue, 4 Dec 2018 21:37:53 +0100 > From: kovacs janos <[email protected]> > To: Zizhong Zhang <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: [stunnel-users] older browsers, stunnel and privoxy > Message-ID: > <CAOchpkq7vG8vHBCrbVn6d4Eh7M2rd6jEob_huhoG=zefjnp...@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > well, what i meant is forwarding to the current address the browser > connects to, so basically browsing through stunnel. > > is it really that complicated to achieve that? if i configure stunnel > as a client, and make the browser send traffic to the accept address, > shouldnt stunnel encrypt the traffic with TLS and send forward to the > connect address? if thats true, shouldnt it also decrypt returning > traffic and send back to the browser? > when i configured stunnel as both client and server on the same > computer, it worked, but the browser still gave > 'ssl_error_no_cypher_overlap' errors. probably because the server side > decrypted it again before it reached the website's server? > > i dont necessarily need it to strip encryption, just use anything > below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit > sites that would otherwise give cypher error, and they stay as https > > On 12/4/18, Zizhong Zhang <[email protected]> wrote: >> Hello, >> >>> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 >>> sites. >>> i heard stunnel cant be configured to always forward to the current >>> site address dynamically, thats why i would use privoxy. >> >> If by "forward to the current site address dynamically" you meant "forward >> to the current address of one specific domain" then stunnel can achieve >> that >> by adding "delay = yes". >> >> However, if I understood correctly, you wanted to let stunnel strip >> or remove SSL for whatever sites you visit. Then no, I don't think you can >> achieve that with privoxy and stunnel. If that's what you want, I would >> suggest you use nginx to remove SSL. The following example configuration >> will let nginx "upgrade" your HTTP request to HTTPS. >> >> events {} http { server { >> resolver 9.9.9.9; >> listen 80; >> location / { >> proxy_pass https://$host$request_uri; >> proxy_set_header Host $http_host; >> } >> }} >> >> You can then point any domain to the nginx server (for example, via the >> hosts file) and visit the site via HTTP. This will make HTTPS-oly servers >> happy. >> >> That won't strip third-party HTTPS:// URL resources like NewIPNow does, >> but >> you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. >> Also >> there are "security features" like "Content-Security-Policy" that prevent >> modern browsers from visiting your SSL-stripped sites, but I believe your >> out-dated browser will happily ignore those. >> >> --Zizhong >> > > > ------------------------------ > > Message: 4 > Date: Wed, 5 Dec 2018 10:12:06 +0100 > From: Flo Rance <[email protected]> > To: [email protected] > Cc: [email protected], [email protected] > Subject: Re: [stunnel-users] older browsers, stunnel and privoxy > Message-ID: > <CAHogYcV+ig2-2u8CWYbbqH_AnkiZNzqM9etx=jhj3n+nug-...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > I would recommend to use squid which is able to do SSL bump. > > https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit > > Therefore, you'll be able to connect with TLS1.0 to squid and the proxy > will establish a TLSv1.2 to the final destination. > > Regards, > Flo > > On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <[email protected]> > wrote: > >> well, what i meant is forwarding to the current address the browser >> connects to, so basically browsing through stunnel. >> >> is it really that complicated to achieve that? if i configure stunnel >> as a client, and make the browser send traffic to the accept address, >> shouldnt stunnel encrypt the traffic with TLS and send forward to the >> connect address? if thats true, shouldnt it also decrypt returning >> traffic and send back to the browser? >> when i configured stunnel as both client and server on the same >> computer, it worked, but the browser still gave >> 'ssl_error_no_cypher_overlap' errors. probably because the server side >> decrypted it again before it reached the website's server? >> >> i dont necessarily need it to strip encryption, just use anything >> below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit >> sites that would otherwise give cypher error, and they stay as https >> >> On 12/4/18, Zizhong Zhang <[email protected]> wrote: >> > Hello, >> > >> >> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 >> >> sites. >> >> i heard stunnel cant be configured to always forward to the current >> >> site address dynamically, thats why i would use privoxy. >> > >> > If by "forward to the current site address dynamically" you meant >> "forward >> > to the current address of one specific domain" then stunnel can achieve >> that >> > by adding "delay = yes". >> > >> > However, if I understood correctly, you wanted to let stunnel strip >> > or remove SSL for whatever sites you visit. Then no, I don't think you >> can >> > achieve that with privoxy and stunnel. If that's what you want, I would >> > suggest you use nginx to remove SSL. The following example configuration >> > will let nginx "upgrade" your HTTP request to HTTPS. >> > >> > events {} http { server { >> > resolver 9.9.9.9; >> > listen 80; >> > location / { >> > proxy_pass https://$host$request_uri; >> > proxy_set_header Host $http_host; >> > } >> > }} >> > >> > You can then point any domain to the nginx server (for example, via the >> > hosts file) and visit the site via HTTP. This will make HTTPS-oly >> > servers >> > happy. >> > >> > That won't strip third-party HTTPS:// URL resources like NewIPNow does, >> but >> > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. >> Also >> > there are "security features" like "Content-Security-Policy" that >> > prevent >> > modern browsers from visiting your SSL-stripped sites, but I believe >> > your >> > out-dated browser will happily ignore those. >> > >> > --Zizhong >> > >> _______________________________________________ >> stunnel-users mailing list >> [email protected] >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://www.stunnel.org/pipermail/stunnel-users/attachments/20181205/881e3a21/attachment.html> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > > > ------------------------------ > > End of stunnel-users Digest, Vol 173, Issue 4 > ********************************************* > > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
