anyways, here is an article about what i need: https://en.wikipedia.org/wiki/TLS_termination_proxy
except it shouldnt pass the unencrypted data to a server but a browser. on the same page, stunnel is listed under "Servers capable of acting as a TLS/SSL termination proxy". i would be grateful if i could finally make this work On 12/9/18, kovacs janos <[email protected]> wrote: > how can i disable verification though? at first i just want to see it > work at all. > in the howto page, it says this: > " > Stunnel has 3 methods for checking certificates, which are controlled > by the verify option: > > * > > Do not Verify Certificates > If no verify argument is given, then stunnel will ignore any > certificates offered and will allow all connections. > " > > there is no "verify" in the stunnel.conf file, and only the gmail > service examples have verifyChain > > On 12/9/18, Yyy <[email protected]> wrote: >> How would connection between stunnel and server through proxy work? To >> verify servers identity, stunnel needs to receive and verify servers >> certificate and since servers address is defined in config file, anything >> that modifies traffic between stunnel and server will be seen as mitm and >> that will break connectivity. >> It might be possible to disable certificate verification, but in that >> case >> sslstrip would be better solution. (it would have the same security). >> >> On December 9, 2018 3:30:34 PM EET, kovacs janos >> <[email protected]> >> wrote: >>>i mean a proxy that can work with the address of the actual website >>>opened in the browser, not just specific addresses defined in the >>>config file. >>> >>>at least i thought thats what you meant with this: >>>"In case of client (browser), for each remote (https) server to be >>>connected to, stunnnel config file will need an entry; >>>in browser it will not be possible to use DNS names (all servers will >>>have to be addressed as 127.0.0.1:someport >>>where "someport", is port assigned in stunnel conf server entry accept >>>statement), so most links in webpages will not work." >>> >>>if stunnel can only work with specified addresses, cant a proxy like >>>privoxy be set up at both ends, and stunnel only has to accept and >>>connect to the address of the proxies? >>> >>>On 12/9/18, Yyy <[email protected]> wrote: >>>> What do you mean by dynamic address proxy? >>>> >>>> On December 8, 2018 12:39:26 AM EET, kovacs janos >>>> <[email protected]> wrote: >>>>>if stunnel can only accept from and forward to one address, cant that >>>>>be went around by setting a dynamic address proxy on both sides of >>>>>stunnel? like: >>>>>proxy - stunnel - proxy >>>>> >>>>>although i havent been able to connect to even a single website, but >>>i >>>>>didnt try with specifically the IP >>>>> >>>>>On 12/7/18, yyy <[email protected]> wrote: >>>>>> >>>>>> ----- Original Message ----- >>>>>> From: "kovacs janos" <[email protected]> >>>>>> To: "Flo Rance" <[email protected]> >>>>>> Cc: <[email protected]> >>>>>> Sent: Friday, December 07, 2018 2:30 AM >>>>>> Subject: Re: [stunnel-users] older browsers, stunnel and privoxy >>>>>> >>>>>> >>>>>>> now im really not sure, since the wikipedia page on stunnel also >>>>>>> describes the program doing exactly what i need in the Example >>>>>>> scenario section: >>>>>>> https://en.wikipedia.org/wiki/Stunnel#Example_scenario >>>>>>> >>>>>>> "Network traffic from the client initially passes over SSL to the >>>>>>> stunnel application, which transparently encrypts/decrypts traffic >>>>>and >>>>>>> forwards unsecured traffic to port 25 locally. The mail server >>>sees >>>>>a >>>>>>> non-SSL mail client. " >>>>>>> >>>>>>> only difference is, i need it to forward "unsecured traffic" to my >>>>>>> browser client, not a server. are you all sure its really not >>>>>>> possible? >>>>>>> >>>>>> It is possible with the same limitiations as with server case. >>>>>> In case of server, there is one server, which accepts incoming >>>>>connections >>>>>> (unencrypted) and stunnel accepts unencrypted >>>>>> connections for that (one) server and decrypts and forwards them. >>>>>There is >>>>>> only one server, which gets connected by stunnel. >>>>>> >>>>>> In case of client (browser), for each remote (https) server to be >>>>>connected >>>>>> to, stunnnel config file will need an entry; >>>>>> in browser it will not be possible to use DNS names (all servers >>>will >>>>>have >>>>>> to be addressed as 127.0.0.1:someport >>>>>> where "someport", is port assigned in stunnel conf server entry >>>>>accept >>>>>> statement), so most links in webpages will not work. >>>>>> It may be feasible for small number of servers, which does not >>>links >>>>>any >>>>>> external resources. >>>>>> >>>>>> _______________________________________________ >>>>>> stunnel-users mailing list >>>>>> [email protected] >>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>>>>> >>>> >>>> -- >>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> > _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
