Hi Janos, mail (SMTP / POP / IMAP) are other protocols as HTTPS. I was not able to connect via sTunnel to a server via HTTPS - and this was the reason to create and use my HTTPSProxy. HTTPSProxy is based on this code (local front- and rear proxy are connected directly without Proxomitron):
https://prxbx.com/forums/showthread.php?tid=2172 https://prxbx.com/forums/showthread.php?tid=2191&pid=19252#pid19252 You can build your own release with python if you do not trust the versions offered by me or HeinoGanda on MSFN. Regards Thomas S. -----Original Message----- From: stunnel-users [mailto:[email protected]] On Behalf Of [email protected] Sent: Friday, December 07, 2018 12:00 PM To: [email protected] Subject: stunnel-users Digest, Vol 173, Issue 7 Send stunnel-users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of stunnel-users digest..." Today's Topics: 1. Re: older browsers, stunnel and privoxy (kovacs janos) ---------------------------------------------------------------------- Message: 1 Date: Fri, 7 Dec 2018 01:30:21 +0100 From: kovacs janos <[email protected]> To: Flo Rance <[email protected]> Cc: [email protected], [email protected] Subject: Re: [stunnel-users] older browsers, stunnel and privoxy Message-ID: <caochpkp+5ydig_xpwpfvdp9zq-l2un10p8wzsm9ggv2iuwp...@mail.gmail.com> Content-Type: text/plain; charset="UTF-8" now im really not sure, since the wikipedia page on stunnel also describes the program doing exactly what i need in the Example scenario section: https://en.wikipedia.org/wiki/Stunnel#Example_scenario "Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic and forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client. " only difference is, i need it to forward "unsecured traffic" to my browser client, not a server. are you all sure its really not possible? On 12/5/18, kovacs janos <[email protected]> wrote: > thank you for suggestions, but can someone tell me in what cases > stunnel can be used? > i can connect to http websites through it, but https doesnt work, even > if it would otherwise do. > i try to connect to 'https://via.hypothes.is/' like this, which i can > access in browser without any proxy: > [Tunnel_in] > client = yes > accept = 127.0.0.1:443 > connect = via.hypothes.is:443 > > i get these logs: > LOG5[1]: Service [Tunnel_in] accepted connection from 127.0.0.1:1788 > LOG5[1]: s_connect: connected 104.20.214.15:443 > LOG5[1]: Service [Tunnel_in] connected remote server from 192.168.0.3:1789 > LOG5[1]: Connection closed: 197 byte(s) sent to TLS, 332 byte(s) sent to > socket > > and the browser just shows a 'server not found' error. > with http sites its the same logs except the IP and bytes, and it > loads in the browser. > > On 12/5/18, Flo Rance <[email protected]> wrote: >> I would recommend to use squid which is able to do SSL bump. >> >> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit >> >> Therefore, you'll be able to connect with TLS1.0 to squid and the proxy >> will establish a TLSv1.2 to the final destination. >> >> Regards, >> Flo >> >> On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <[email protected]> >> wrote: >> >>> well, what i meant is forwarding to the current address the browser >>> connects to, so basically browsing through stunnel. >>> >>> is it really that complicated to achieve that? if i configure stunnel >>> as a client, and make the browser send traffic to the accept address, >>> shouldnt stunnel encrypt the traffic with TLS and send forward to the >>> connect address? if thats true, shouldnt it also decrypt returning >>> traffic and send back to the browser? >>> when i configured stunnel as both client and server on the same >>> computer, it worked, but the browser still gave >>> 'ssl_error_no_cypher_overlap' errors. probably because the server side >>> decrypted it again before it reached the website's server? >>> >>> i dont necessarily need it to strip encryption, just use anything >>> below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit >>> sites that would otherwise give cypher error, and they stay as https >>> >>> On 12/4/18, Zizhong Zhang <[email protected]> wrote: >>> > Hello, >>> > >>> >> im trying to make older browsers be able to display TLS 1.1 and TLS >>> >> 1.2 >>> >> sites. >>> >> i heard stunnel cant be configured to always forward to the current >>> >> site address dynamically, thats why i would use privoxy. >>> > >>> > If by "forward to the current site address dynamically" you meant >>> "forward >>> > to the current address of one specific domain" then stunnel can >>> > achieve >>> that >>> > by adding "delay = yes". >>> > >>> > However, if I understood correctly, you wanted to let stunnel strip >>> > or remove SSL for whatever sites you visit. Then no, I don't think you >>> can >>> > achieve that with privoxy and stunnel. If that's what you want, I >>> > would >>> > suggest you use nginx to remove SSL. The following example >>> > configuration >>> > will let nginx "upgrade" your HTTP request to HTTPS. >>> > >>> > events {} http { server { >>> > resolver 9.9.9.9; >>> > listen 80; >>> > location / { >>> > proxy_pass https://$host$request_uri; >>> > proxy_set_header Host $http_host; >>> > } >>> > }} >>> > >>> > You can then point any domain to the nginx server (for example, via >>> > the >>> > hosts file) and visit the site via HTTP. This will make HTTPS-oly >>> > servers >>> > happy. >>> > >>> > That won't strip third-party HTTPS:// URL resources like NewIPNow >>> > does, >>> but >>> > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. >>> Also >>> > there are "security features" like "Content-Security-Policy" that >>> > prevent >>> > modern browsers from visiting your SSL-stripped sites, but I believe >>> > your >>> > out-dated browser will happily ignore those. >>> > >>> > --Zizhong >>> > >>> _______________________________________________ >>> stunnel-users mailing list >>> [email protected] >>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>> >> > ------------------------------ Subject: Digest Footer _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users ------------------------------ End of stunnel-users Digest, Vol 173, Issue 7 ********************************************* _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
