Proxomitron Reborn
|
Apr. 13, 2024, 09:09 PM
Post: #271
|
|||
|
|||
RE: Proxomitron Reborn
(Apr. 13, 2024 08:27 PM)Anno Domini Wrote: ... That'll work. (Apr. 13, 2024 08:27 PM)Anno Domini Wrote: PS -- JJoe, I viewed your proxcert_certonly.pem and it says that the Signature Algorithm is SHA-256 with RSA Encryption. Is that to make browsing easier ? The one I generated and am using says SHA-512, and to be honest, I don't really know what the difference is lol. Thank you.. I just clicked the button. lol Probably due to our computers and OSs. This computer is old and I don't like to update it. Something to note, however. Thanks for mentioning it. |
|||
Apr. 13, 2024, 10:59 PM
Post: #272
|
|||
|
|||
RE: Proxomitron Reborn
(Apr. 13, 2024 08:51 PM)DullFace Wrote: Does it always crash at address 0x77766c8e? Judging by the address, this is some kind of dll, and not Reborn himself. It's the downloaded .exe, I just renamed to Proxomitron, no patches. I'll have to see if it's the same address every time. |
|||
Apr. 14, 2024, 07:56 PM
(This post was last modified: Apr. 14, 2024 07:56 PM by Anno Domini.)
Post: #273
|
|||
|
|||
RE: Proxomitron Reborn | |||
Apr. 16, 2024, 02:49 PM
Post: #274
|
|||
|
|||
RE: Proxomitron Reborn
(Apr. 13, 2024 06:34 PM)JJoe Wrote: Opens with my version 4.6.0.5. using the certs generated by either exe. Thanks for looking into this. I tested with Firefox only and I got the same result as you. 4.6.0.5 with OpenSSL 1.0.1q works and I can see yomou.syosetu.com in Cached Certificates section of https://local.ptron/.pinfo/ssl/. 4.7.0.0 with OpenSSL 1.0.1q works too. 4.7.0.0 with OpenSSL 3.0.9 doesn't work and and I can NOT see yomou.syosetu.com in Cached Certificates section of https://local.ptron/.pinfo/ssl/. @amy, can you let new versions moving forward check for OpenSSL 3.x DLLs first and fall back to OpenSSL 1.x if OpenSSL 3.x DLLs are not present? This way I can put new and old proxo.exe, and new and old DLLs in the same directory without having to remove a specific version of DLLs to test another version of Proxo.exe. |
|||
Apr. 17, 2024, 04:12 PM
(This post was last modified: Apr. 17, 2024 04:12 PM by Anno Domini.)
Post: #275
|
|||
|
|||
RE: Proxomitron Reborn
Hi there, I can go to ebay.com without any issues, but I am unable to go to ebay.ca with the new Proxo 4.7.0.0. If I bypass Proxo it will go to ebay.ca, but with Proxo enabled it does not. Please see attached photo. I have the latest cacert.pem. Any thoughts ?
|
|||
Apr. 19, 2024, 02:41 AM
(This post was last modified: Apr. 19, 2024 03:54 AM by JJoe.)
Post: #276
|
|||
|
|||
RE: Proxomitron Reborn
Browsers often let you 'Accept the Risk and Continue' or 'proceed...(unsafe)', etc. This may cause the browser to load the site with the Proxomitron filtering. It does for me.
Of course, the browsers will mark the site as insecure. For Firefox this exception may be granted by clicking 'Advanced...' then 'Accept the Risk and Continue' on the warning page. (Apr. 17, 2024 04:12 PM)Anno Domini Wrote: ... |
|||
Apr. 19, 2024, 03:08 AM
(This post was last modified: Apr. 19, 2024 03:54 AM by JJoe.)
Post: #277
|
|||
|
|||
RE: Proxomitron Reborn
(Apr. 16, 2024 02:49 PM)whenever Wrote: ... No problem. I was hoping to narrow this down for amy. Maybe the handshake between server and Reborn fails. This causes an incomplete certificate for the browser. Indeed, googling "OpenSSL 3 handshake fails" turns up "Handshake fails with 3.0.2 & 1.1.1n, but succeeds with 1.1.1" and https://github.com/owncloud/client/issues/11172 But, if I add an exception for the site to the browser, it loads and is filtered... |
|||
Apr. 20, 2024, 02:55 AM
Post: #278
|
|||
|
|||
RE: Proxomitron Reborn
(Apr. 17, 2024 04:12 PM)Anno Domini Wrote: Hi there, I can go to ebay.com without any issues, but I am unable to go to ebay.ca with the new Proxo 4.7.0.0. If I bypass Proxo it will go to ebay.ca, but with Proxo enabled it does not. Please see attached photo. I have the latest cacert.pem. Any thoughts ? This is the same error that happened to https://yomou.syosetu.com/. Proxo 4.7.0.0 with OpenSSL 3.0.9 failed to create site certificates for ebay.ca and yomou.syosetu.com. Instead, Proxo sent the root certificate to the browser and the browser complained. (Apr. 19, 2024 03:08 AM)JJoe Wrote: Maybe the handshake between server and Reborn fails. I don't think it has gone that far yet. If filtering is enabled: 1. Proxo will establish SSL connection with the browser first 2. then extract http request details 3. then establish SSL connection with the remote server. ...... I think the error happens at step 1. |
|||
Apr. 20, 2024, 01:55 PM
(This post was last modified: Apr. 20, 2024 02:04 PM by JJoe.)
Post: #279
|
|||
|
|||
RE: Proxomitron Reborn
If it's just between the browser and the Proxomitron, it seems odd to me that "ebay.ca" and "yomou.syosetu.com" always fail but "ebay.cn" and "blog.syosetu.com" haven't failed yet. All the ca domains (amazon.ca, yahoo.ca, etc) that I have tried worked, as did the ebay domains.
Curious. (Apr. 20, 2024 02:55 AM)whenever Wrote: I don't think it has gone that far yet. If filtering is enabled: |
|||
Apr. 21, 2024, 02:35 AM
Post: #280
|
|||
|
|||
RE: Proxomitron Reborn
That's what I called a bug. You can give Proxomitron a parent proxy which has a log function and compare the traffic.
|
|||
Apr. 21, 2024, 04:18 PM
(This post was last modified: Apr. 21, 2024 04:27 PM by Anno Domini.)
Post: #281
|
|||
|
|||
RE: Proxomitron Reborn
I'm glad you guys, JJoe and Whenever, see what I'm talking about. You are correct. Using Proxo 4.7.0.0 with OpenSSL 3.0.9 causes a certificate error for ebay.ca. It warns that 'www.ebay.ca uses an invalid security certificate,' but this error does not occur visiting ebay.com, or amazon.ca, etc. All I can add is that as a laymen Proxomitron user, who doesn't understand all the technical details, reading, 'If you visit this site (ebay.ca), attackers could try to steal information like your passwords, emails, or credit card details.' is daunting. :-(
|
|||
Apr. 22, 2024, 02:04 PM
Post: #282
|
|||
|
|||
RE: Proxomitron Reborn
(Apr. 13, 2024 01:26 PM)whenever Wrote: ...Is below expected with the default setting?... This may apply. https://curl.se/docs/ssl-ciphers.html Wrote:Schannel allows the enabling and disabling of encryption algorithms, but not specific cipher suites, prior to TLS 1.3. The algorithms are defined by Microsoft. But I don't know how Schannel responds when you try to specific cipher suites, prior to TLS 1.3. I didn't know it was on this computer. So, I downloaded the latest curl and Code: C:\curl-8.7.1_7-win64-mingw\bin>curl -s -S -v -o /dev/null --no-progress-meter --insecure --tls-max 1.2 --ciphers ECDHE-ECDSA-AES128-GCM-SHA256 https://127.0.0.1:8443/ProxyLogo.jpg and Code: C:\curl-8.7.1_7-win64-mingw\bin>curl -s -S -v -o /dev/null --no-progress-meter --insecure https://127.0.0.1:8443/ProxyLogo.jpg Not related but notable for new schannel users like me. https://curl.se/docs/ssl-ciphers.html Wrote:TLS 1.3 ciphers are supported since curl 7.61 for OpenSSL 1.1.1+, and since curl 7.85 for Schannel with options CURLOPT_TLS13_CIPHERS and --tls13-ciphers . If you are using a different SSL backend you can try setting TLS 1.3 cipher suites by using the respective regular cipher option. HTH |
|||
Apr. 23, 2024, 04:52 AM
Post: #283
|
|||
|
|||
RE: Proxomitron Reborn
Proxomitron Reborn 4.7.0.1 has been released with a few changes:
- Fix certificate generation A few sites you reported here weren't working due to OpenSSL 3's stricter certificate parsing (this is actually another discernable difference between OpenSSL and browser's SSL clients). It was happening with very low probability depending on the hostname, so I didn't catch it earlier. Note that in the future, you can enable "Misc. information" in the Log Window to see more details about certificate generation information and errors. - Show SslCiphers and ServerCiphers in status page Requested by whenever. - Attempt to load OpenSSL 3.x before 1.x Requested by whenever. - Edited documentation Updated the configuration dialog pages as remarked upon by whenever. (Apr. 09, 2024 01:20 PM)DullFace Wrote:Thanks for figuring out the difference. Adding that fallback_scsv at the right time is not something that using OpenSSL makes it easy to do, unfortunately, and so is another difference that can be used to distinguish Proxomitron from a browser. I am thinking of a solution to this and the other discrepancies, but it won't be easy.(Apr. 09, 2024 03:08 AM)amy Wrote: it just closes the connection without replying with any data.I tried to play with OpenSSL 3.2.1: (Apr. 13, 2024 01:26 PM)whenever Wrote: What about showing the adopted values of ServerCiphers and SslCiphers in the "SSL/TLS Information" section of https://local.ptron/.pinfo/ssl/? That way we can know if user defined or default settings are applied depending on if there are errors in user defined settings.Added to 4.7.0.1. (Apr. 13, 2024 01:26 PM)whenever Wrote: Also, is ServerCiphers applied to the built in https server? Is below expected with the default setting?Yes. I'm not sure how schannel's ciphersuite lists work, but they might not be the same as what OpenSSL accepts. (Apr. 13, 2024 01:26 PM)whenever Wrote: Lastly, are you able to visit https://yomou.syosetu.com/ with default settings? From https://local.ptron/.pinfo/ssl/ I can see no site certificate is created for yomou.syosetu.com.Certificate generation bug, fixed in 4.7.0.1. Thanks for reporting. (Apr. 16, 2024 02:49 PM)whenever Wrote: @amy, can you let new versions moving forward check for OpenSSL 3.x DLLs first and fall back to OpenSSL 1.x if OpenSSL 3.x DLLs are not present? This way I can put new and old proxo.exe, and new and old DLLs in the same directory without having to remove a specific version of DLLs to test another version of Proxo.exe.Changed in 4.7.0.1. (I was renaming the 1.0.x DLLs to switch between them and 3.x, but your way works just as well, and it does seem to make more sense to load the latest OpenSSL version it can find.) (Apr. 17, 2024 04:12 PM)Anno Domini Wrote: Hi there, I can go to ebay.com without any issues, but I am unable to go to ebay.ca with the new Proxo 4.7.0.0. If I bypass Proxo it will go to ebay.ca, but with Proxo enabled it does not. Please see attached photo. I have the latest cacert.pem. Any thoughts ?Certificate generation bug fixed in 4.7.0.1. The probability of getting a hostname that hit the bug was really low. |
|||
The following 5 users say Thank You to amy for this post: DullFace, referrer, ProxRocks, whenever, defconnect |
Apr. 23, 2024, 07:32 AM
(This post was last modified: Apr. 23, 2024 07:53 AM by DullFace.)
Post: #284
|
|||
|
|||
RE: Proxomitron Reborn
(Apr. 23, 2024 04:52 AM)amy Wrote: Adding that fallback_scsv at the right time is not something that using OpenSSL makes it easy to do, unfortunately, and so is another difference that can be used to distinguish Proxomitron from a browser. I am thinking of a solution to this and the other discrepancies, but it won't be easy.At that time, curl 8.4.0 (from the windows 10 distribution) worked without a proxy. Reborn 4.7.0.0 is also working now. Code: >curl -V |
|||
Apr. 24, 2024, 02:23 AM
Post: #285
|
|||
|
|||
RE: Proxomitron Reborn
Does Reborn generate a ECDSA certificate for the ECDSA cipher suites?
Which OpenSSL binary would you prefer for testing? https://wiki.openssl.org/index.php/Binaries (Apr. 22, 2024 02:04 PM)JJoe Wrote: ... |
|||
« Next Oldest | Next Newest »
|