EldoS | Feel safer!

Software components for data protection, secure storage and transfer

use http proxy behind stunnel5

Posted: 03/24/2016 00:56:05
by osman taskin (Basic support level)
Joined: 03/23/2016
Posts: 1


i am trying to connect squid3 listens on localhost:993 through stunnel5 which listens on *:443. stunnel5 allows us to encrypt client->proxy connection.

this setup works very well with all major browsers, they can use that https proxy (made with stunnel)

we are about to write a stress tester and need to connect to that server from .net. I have tried something like this:

tElHTTPSClient1.WebTunnelAddress = "test5.xxx.com";
            tElHTTPSClient1.WebTunnelPort = 443;
            tElHTTPSClient1.WebTunnelAuthentication = 1;
            tElHTTPSClient1.WebTunnelUserId = @"checking";
            tElHTTPSClient1.WebTunnelPassword = "hdu9g783y3";
            tElHTTPSClient1.UseWebTunneling = true;
            tElHTTPSClient1.SSLEnabled = true;
            tElHTTPSClient1.OnError += OnError;            
            var response = tElHTTPSClient1.Get("http://1a.org");

but i keep getting error message in c#:

Connection lost (error code is 100353)

on stunnel side:

2016.03.24 04:51:19 LOG7[9308]: Service [squid] accepted (FD=3) from
2016.03.24 04:51:19 LOG7[9553]: Service [squid] started
2016.03.24 04:51:19 LOG5[9553]: Service [squid] accepted connection from
2016.03.24 04:51:19 LOG7[9553]: SSL state (accept): before/accept initialization
2016.03.24 04:51:19 LOG3[9553]: SSL_accept: 1407609B: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request
2016.03.24 04:51:19 LOG5[9553]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.03.24 04:51:19 LOG7[9553]: Local socket (FD=3) closed
2016.03.24 04:51:19 LOG7[9553]: Service [squid] finished (0 left)
2016.03.24 04:51:19 LOG7[9553]: str_stats: 0 block(s), 18446744073709551119 data byte(s), 0 control byte(s

so it looks like that it never negotiates with ssl protocol for me. The request is not being sent to localhost:993 (squid server)

I have been doing "ngrep port 443" on that server and see:

T -> [A]
T -> [AP]
CONNECT 1a.org:80 HTTP/1.1..Host: 1a.org:80..Proxy-Authorization: Basic Y2hlY2tpbmc6aGR1OWc3ODM=....

so it looks like it connects to port 443 plain without using any ssl feature. On that port stunnel is listening, i think there is no ssl handshake or something.

Do i do everything correctly to make a simple request through https proxy ?
Posted: 03/24/2016 03:58:08
by Eugene Mayevski (Team)

From your description it's not clear, what the setup is. The client connects to HTTPS proxy without TLS (always). TLS is initiated later, when it's time to communicate with the remote server.

We never saw the requirements to encrypt client->proxy connection because the tunneled connection client->proxy->server is encrypted after the proxy opens connection to the server.

If you mean that client->proxy connection must also be encrypted, then our client doesn't support this (implementing this feature is possible as a custom service).

Sincerely yours
Eugene Mayevski



Topic viewed 2001 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!