I would recommend to use squid which is able to do SSL bump. https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
Therefore, you'll be able to connect with TLS1.0 to squid and the proxy will establish a TLSv1.2 to the final destination. Regards, Flo On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <kovacsjanosf...@gmail.com> wrote: > well, what i meant is forwarding to the current address the browser > connects to, so basically browsing through stunnel. > > is it really that complicated to achieve that? if i configure stunnel > as a client, and make the browser send traffic to the accept address, > shouldnt stunnel encrypt the traffic with TLS and send forward to the > connect address? if thats true, shouldnt it also decrypt returning > traffic and send back to the browser? > when i configured stunnel as both client and server on the same > computer, it worked, but the browser still gave > 'ssl_error_no_cypher_overlap' errors. probably because the server side > decrypted it again before it reached the website's server? > > i dont necessarily need it to strip encryption, just use anything > below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit > sites that would otherwise give cypher error, and they stay as https > > On 12/4/18, Zizhong Zhang <ziza...@protonmail.com> wrote: > > Hello, > > > >> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 > >> sites. > >> i heard stunnel cant be configured to always forward to the current > >> site address dynamically, thats why i would use privoxy. > > > > If by "forward to the current site address dynamically" you meant > "forward > > to the current address of one specific domain" then stunnel can achieve > that > > by adding "delay = yes". > > > > However, if I understood correctly, you wanted to let stunnel strip > > or remove SSL for whatever sites you visit. Then no, I don't think you > can > > achieve that with privoxy and stunnel. If that's what you want, I would > > suggest you use nginx to remove SSL. The following example configuration > > will let nginx "upgrade" your HTTP request to HTTPS. > > > > events {} http { server { > > resolver 9.9.9.9; > > listen 80; > > location / { > > proxy_pass https://$host$request_uri; > > proxy_set_header Host $http_host; > > } > > }} > > > > You can then point any domain to the nginx server (for example, via the > > hosts file) and visit the site via HTTP. This will make HTTPS-oly servers > > happy. > > > > That won't strip third-party HTTPS:// URL resources like NewIPNow does, > but > > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. > Also > > there are "security features" like "Content-Security-Policy" that prevent > > modern browsers from visiting your SSL-stripped sites, but I believe your > > out-dated browser will happily ignore those. > > > > --Zizhong > > > _______________________________________________ > stunnel-users mailing list > stunnel-users@stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
