now im really not sure, since the wikipedia page on stunnel also describes the program doing exactly what i need in the Example scenario section: https://en.wikipedia.org/wiki/Stunnel#Example_scenario
"Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts/decrypts traffic and forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client. " only difference is, i need it to forward "unsecured traffic" to my browser client, not a server. are you all sure its really not possible? On 12/5/18, kovacs janos <kovacsjanosf...@gmail.com> wrote: > thank you for suggestions, but can someone tell me in what cases > stunnel can be used? > i can connect to http websites through it, but https doesnt work, even > if it would otherwise do. > i try to connect to 'https://via.hypothes.is/' like this, which i can > access in browser without any proxy: > [Tunnel_in] > client = yes > accept = 127.0.0.1:443 > connect = via.hypothes.is:443 > > i get these logs: > LOG5[1]: Service [Tunnel_in] accepted connection from 127.0.0.1:1788 > LOG5[1]: s_connect: connected 104.20.214.15:443 > LOG5[1]: Service [Tunnel_in] connected remote server from 192.168.0.3:1789 > LOG5[1]: Connection closed: 197 byte(s) sent to TLS, 332 byte(s) sent to > socket > > and the browser just shows a 'server not found' error. > with http sites its the same logs except the IP and bytes, and it > loads in the browser. > > On 12/5/18, Flo Rance <troura...@gmail.com> wrote: >> I would recommend to use squid which is able to do SSL bump. >> >> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit >> >> Therefore, you'll be able to connect with TLS1.0 to squid and the proxy >> will establish a TLSv1.2 to the final destination. >> >> Regards, >> Flo >> >> On Tue, Dec 4, 2018 at 9:38 PM kovacs janos <kovacsjanosf...@gmail.com> >> wrote: >> >>> well, what i meant is forwarding to the current address the browser >>> connects to, so basically browsing through stunnel. >>> >>> is it really that complicated to achieve that? if i configure stunnel >>> as a client, and make the browser send traffic to the accept address, >>> shouldnt stunnel encrypt the traffic with TLS and send forward to the >>> connect address? if thats true, shouldnt it also decrypt returning >>> traffic and send back to the browser? >>> when i configured stunnel as both client and server on the same >>> computer, it worked, but the browser still gave >>> 'ssl_error_no_cypher_overlap' errors. probably because the server side >>> decrypted it again before it reached the website's server? >>> >>> i dont necessarily need it to strip encryption, just use anything >>> below TLS 1.1. for example on 'https://via.hypothes.is/' i can visit >>> sites that would otherwise give cypher error, and they stay as https >>> >>> On 12/4/18, Zizhong Zhang <ziza...@protonmail.com> wrote: >>> > Hello, >>> > >>> >> im trying to make older browsers be able to display TLS 1.1 and TLS >>> >> 1.2 >>> >> sites. >>> >> i heard stunnel cant be configured to always forward to the current >>> >> site address dynamically, thats why i would use privoxy. >>> > >>> > If by "forward to the current site address dynamically" you meant >>> "forward >>> > to the current address of one specific domain" then stunnel can >>> > achieve >>> that >>> > by adding "delay = yes". >>> > >>> > However, if I understood correctly, you wanted to let stunnel strip >>> > or remove SSL for whatever sites you visit. Then no, I don't think you >>> can >>> > achieve that with privoxy and stunnel. If that's what you want, I >>> > would >>> > suggest you use nginx to remove SSL. The following example >>> > configuration >>> > will let nginx "upgrade" your HTTP request to HTTPS. >>> > >>> > events {} http { server { >>> > resolver 9.9.9.9; >>> > listen 80; >>> > location / { >>> > proxy_pass https://$host$request_uri; >>> > proxy_set_header Host $http_host; >>> > } >>> > }} >>> > >>> > You can then point any domain to the nginx server (for example, via >>> > the >>> > hosts file) and visit the site via HTTP. This will make HTTPS-oly >>> > servers >>> > happy. >>> > >>> > That won't strip third-party HTTPS:// URL resources like NewIPNow >>> > does, >>> but >>> > you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. >>> Also >>> > there are "security features" like "Content-Security-Policy" that >>> > prevent >>> > modern browsers from visiting your SSL-stripped sites, but I believe >>> > your >>> > out-dated browser will happily ignore those. >>> > >>> > --Zizhong >>> > >>> _______________________________________________ >>> stunnel-users mailing list >>> stunnel-users@stunnel.org >>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>> >> > _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
