Hi Janos, you can use a local proxy to "translate" HTTPS TLS1.0 to TLS1.2 Look here:
https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-aka-tls/?page=7&tab=comments#comment-1155858 HTTPSProxy (and tools) manage the whole traffic locally (in- and outgoing HTTPS), but needs manually configuration as described in the help files. If you have questions please ask in this forum. Regards Thomas S. -----Original Message----- From: stunnel-users [mailto:[email protected]] On Behalf Of [email protected] Sent: Wednesday, December 05, 2018 10:12 AM To: [email protected] Subject: stunnel-users Digest, Vol 173, Issue 4 Send stunnel-users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of stunnel-users digest..." Today's Topics: 1. Re: older browsers, stunnel and privoxy (kovacs janos) 2. Re: older browsers, stunnel and privoxy (Zizhong Zhang) 3. Re: older browsers, stunnel and privoxy (kovacs janos) 4. Re: older browsers, stunnel and privoxy (Flo Rance) ---------------------------------------------------------------------- Message: 1 Date: Tue, 4 Dec 2018 19:27:15 +0100 From: kovacs janos <[email protected]> To: Flo Rance <[email protected]> Cc: [email protected] Subject: Re: [stunnel-users] older browsers, stunnel and privoxy Message-ID: <caochpkrotmoagcpv4fk19nhzep-5-jgjx3easfcfqbmvydr...@mail.gmail.com> Content-Type: text/plain; charset="UTF-8" well yes, im pretty sure the same encryption is needed in requests and the returned page, otherwise it would probably get a no cypher overlap error. so i basically need stunnel to encrypt outgoing requests, and decrypt the returned things and only on the browser side of connection. there's a good reason why they are deprecated, but it would be better to add this functionality this way if possible, rather than change whole programs, especially when its the purpose of stunnel, according to the description On 12/4/18, Flo Rance <[email protected]> wrote: > This is not what I've understood from your first description. You would > like to bridge TLSv1 to TLSv1.1 or TLSv1.2 before sending requests to a web > proxy. > > This is why I don't think stunnel is intended for that. > > That said, if SSLV3 and TLSv1 have been deprecated, there's a good reason > and you should seriously think to update your tools. > > Regards, > Flo > > On Tue, Dec 4, 2018 at 3:18 PM kovacs janos <[email protected]> > wrote: > >> well, it says this on the first line of the website: >> "Stunnel is a proxy designed to add TLS encryption functionality to >> existing clients and servers without any changes in the programs' >> code." >> >> i just want to add TLS functionality to client browsers which dont >> have it. i only need stunnel to decrypt TLS traffic going back to the >> browser. >> >> On 12/4/18, Flo Rance <[email protected]> wrote: >> > Sorry I didn't read it correctly. I don't think this is something >> > stunnel >> > can handle. >> > >> > Regards, >> > Flo >> > >> > On Mon, Dec 3, 2018 at 9:31 PM kovacs janos <[email protected]> >> > wrote: >> > >> >> thank you for the reply, >> >> its the address and port where privoxy listens for requests. >> >> from the config file: >> >> "# 4.1. listen-address >> >> # ==================== >> >> # >> >> # Specifies: >> >> # >> >> # The IP address and TCP port on which Privoxy will listen for >> >> # client requests." >> >> and under it: >> >> >> >> listen-address 127.0.0.1:8118 >> >> >> >> On 12/3/18, Flo Rance <[email protected]> wrote: >> >> > Hi, >> >> > >> >> > It's not clear in your description what is running on 8118 local >> >> > port. >> >> > >> >> > Regards, >> >> > Flo >> >> > >> >> > On Mon, Dec 3, 2018 at 2:40 PM kovacs janos < >> [email protected]> >> >> > wrote: >> >> > >> >> >> sorry to bother, >> >> >> im trying to make older browsers be able to display TLS 1.1 and TLS >> >> >> 1.2 >> >> >> sites. >> >> >> i heard stunnel cant be configured to always forward to the current >> >> >> site address dynamically, thats why i would use privoxy. >> >> >> the browser is configured to send to: >> >> >> 127.0.0.1 443 >> >> >> >> >> >> stunnel config has this at the end: >> >> >> [Tunnel_in] >> >> >> client = yes >> >> >> accept = 127.0.0.1:443 >> >> >> connect = 127.0.0.1:8118 >> >> >> verifyChain = yes >> >> >> CAfile = ca-certs.pem >> >> >> checkHost = localhost >> >> >> >> >> >> 127.0.0.1:8118 is the privoxy address. >> >> >> this is what stunnel writes: >> >> >> LOG5[main]: Configuration successful >> >> >> LOG5[0]: Service [Tunnel_in] accepted connection from >> >> >> 127.0.0.1:3261 >> >> >> LOG5[0]: s_connect: connected 127.0.0.1:8118 >> >> >> LOG5[0]: Service [Tunnel_in] connected remote server from >> >> 127.0.0.1:3262 >> >> >> >> >> >> and the browser infinitely loads, and never loads anything or >> >> >> leaves >> >> >> the >> >> >> page. >> >> >> if i remove the last 3 lines, its the same just with this line >> >> >> added: >> >> >> LOG4[main]: Service [Tunnel_in] needs authentication to prevent >> >> >> MITM >> >> >> attacks >> >> >> >> >> >> but it doesnt give an error or anything. >> >> >> >> >> >> with a configuration like: >> >> >> [Tunnel_out] >> >> >> client = no >> >> >> accept = 127.0.0.1:443 >> >> >> connect = 127.0.0.1:8118 >> >> >> cert = stunnel.pem >> >> >> >> >> >> this is what it gives: >> >> >> LOG5[3]: Service [Tunnel_out] accepted connection from >> 127.0.0.1:3294 >> >> >> LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL >> >> >> routines:SSL23_GET_CLIENT_HELLO:https proxy request >> >> >> LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to >> >> >> socket >> >> >> >> >> >> and browser gives a server not found error immediately. im not even >> >> >> sure if i should use client or server configuration in a case like >> >> >> this, but none of them works anyway. all i would need is for my >> >> >> browser to get the pages decrypted, or at least in less than >> >> >> TLS1.1. >> >> >> like how on newipnow.com i can access sites with any encryption, >> since >> >> >> they are sent to the browser without encryption. the browser just >> >> >> gives an "unencrypted tunnel" warning, which is how i found >> >> >> stunnel, >> >> >> and which is exactly what i need, just locally. >> >> >> _______________________________________________ >> >> >> stunnel-users mailing list >> >> >> [email protected] >> >> >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >> >> >> >> >> > >> >> >> > >> > ------------------------------ Message: 2 Date: Tue, 04 Dec 2018 19:16:53 +0000 From: Zizhong Zhang <[email protected]> To: kovacs janos <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [stunnel-users] older browsers, stunnel and privoxy Message-ID: <mSx8WOjppmpWbvW5ETuPUXO048xh4PcPTtZPpOpzkrecueeSUtjQQx13FhtLO24lkyNXRPe_lNpMV8ko6RMEvowOx7mg6rl_1hwj43QAxWw=@protonmail.com> Content-Type: text/plain; charset=UTF-8 Hello, > im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. > i heard stunnel cant be configured to always forward to the current > site address dynamically, thats why i would use privoxy. If by "forward to the current site address dynamically" you meant "forward to the current address of one specific domain" then stunnel can achieve that by adding "delay = yes". However, if I understood correctly, you wanted to let stunnel strip or remove SSL for whatever sites you visit. Then no, I don't think you can achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS. events {} http { server { resolver 9.9.9.9; listen 80; location / { proxy_pass https://$host$request_uri; proxy_set_header Host $http_host; } }} You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy. That won't strip third-party HTTPS:// URL resources like NewIPNow does, but you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those. --Zizhong ------------------------------ Message: 3 Date: Tue, 4 Dec 2018 21:37:53 +0100 From: kovacs janos <[email protected]> To: Zizhong Zhang <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [stunnel-users] older browsers, stunnel and privoxy Message-ID: <CAOchpkq7vG8vHBCrbVn6d4Eh7M2rd6jEob_huhoG=zefjnp...@mail.gmail.com> Content-Type: text/plain; charset="UTF-8" well, what i meant is forwarding to the current address the browser connects to, so basically browsing through stunnel. is it really that complicated to achieve that? if i configure stunnel as a client, and make the browser send traffic to the accept address, shouldnt stunnel encrypt the traffic with TLS and send forward to the connect address? if thats true, shouldnt it also decrypt returning traffic and send back to the browser? when i configured stunnel as both client and server on the same computer, it worked, but the browser still gave 'ssl_error_no_cypher_overlap' errors. probably because the server side decrypted it again before it reached the website's server? i dont necessarily need it to strip encryption, just use anything below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit sites that would otherwise give cypher error, and they stay as https On 12/4/18, Zizhong Zhang <[email protected]> wrote: > Hello, > >> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 >> sites. >> i heard stunnel cant be configured to always forward to the current >> site address dynamically, thats why i would use privoxy. > > If by "forward to the current site address dynamically" you meant "forward > to the current address of one specific domain" then stunnel can achieve that > by adding "delay = yes". > > However, if I understood correctly, you wanted to let stunnel strip > or remove SSL for whatever sites you visit. Then no, I don't think you can > achieve that with privoxy and stunnel. If that's what you want, I would > suggest you use nginx to remove SSL. The following example configuration > will let nginx "upgrade" your HTTP request to HTTPS. > > events {} http { server { > resolver 9.9.9.9; > listen 80; > location / { > proxy_pass https://$host$request_uri; > proxy_set_header Host $http_host; > } > }} > > You can then point any domain to the nginx server (for example, via the > hosts file) and visit the site via HTTP. This will make HTTPS-oly servers > happy. > > That won't strip third-party HTTPS:// URL resources like NewIPNow does, but > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also > there are "security features" like "Content-Security-Policy" that prevent > modern browsers from visiting your SSL-stripped sites, but I believe your > out-dated browser will happily ignore those. > > --Zizhong > ------------------------------ Message: 4 Date: Wed, 5 Dec 2018 10:12:06 +0100 From: Flo Rance <[email protected]> To: [email protected] Cc: [email protected], [email protected] Subject: Re: [stunnel-users] older browsers, stunnel and privoxy Message-ID: <CAHogYcV+ig2-2u8CWYbbqH_AnkiZNzqM9etx=jhj3n+nug-...@mail.gmail.com> Content-Type: text/plain; charset="utf-8" I would recommend to use squid which is able to do SSL bump. https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit Therefore, you'll be able to connect with TLS1.0 to squid and the proxy will establish a TLSv1.2 to the final destination. Regards, Flo On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <[email protected]> wrote: > well, what i meant is forwarding to the current address the browser > connects to, so basically browsing through stunnel. > > is it really that complicated to achieve that? if i configure stunnel > as a client, and make the browser send traffic to the accept address, > shouldnt stunnel encrypt the traffic with TLS and send forward to the > connect address? if thats true, shouldnt it also decrypt returning > traffic and send back to the browser? > when i configured stunnel as both client and server on the same > computer, it worked, but the browser still gave > 'ssl_error_no_cypher_overlap' errors. probably because the server side > decrypted it again before it reached the website's server? > > i dont necessarily need it to strip encryption, just use anything > below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit > sites that would otherwise give cypher error, and they stay as https > > On 12/4/18, Zizhong Zhang <[email protected]> wrote: > > Hello, > > > >> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 > >> sites. > >> i heard stunnel cant be configured to always forward to the current > >> site address dynamically, thats why i would use privoxy. > > > > If by "forward to the current site address dynamically" you meant > "forward > > to the current address of one specific domain" then stunnel can achieve > that > > by adding "delay = yes". > > > > However, if I understood correctly, you wanted to let stunnel strip > > or remove SSL for whatever sites you visit. Then no, I don't think you > can > > achieve that with privoxy and stunnel. If that's what you want, I would > > suggest you use nginx to remove SSL. The following example configuration > > will let nginx "upgrade" your HTTP request to HTTPS. > > > > events {} http { server { > > resolver 9.9.9.9; > > listen 80; > > location / { > > proxy_pass https://$host$request_uri; > > proxy_set_header Host $http_host; > > } > > }} > > > > You can then point any domain to the nginx server (for example, via the > > hosts file) and visit the site via HTTP. This will make HTTPS-oly servers > > happy. > > > > That won't strip third-party HTTPS:// URL resources like NewIPNow does, > but > > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. > Also > > there are "security features" like "Content-Security-Policy" that prevent > > modern browsers from visiting your SSL-stripped sites, but I believe your > > out-dated browser will happily ignore those. > > > > --Zizhong > > > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20181205/881e3a21/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users ------------------------------ End of stunnel-users Digest, Vol 173, Issue 4 ********************************************* _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
