Proxomitron Reborn

[JJoe]

(Apr. 13, 2024 08:27 PM)Anno Domini Wrote:  ...

Did I do everything correctly ?

That'll work.

(Apr. 13, 2024 08:27 PM)Anno Domini Wrote:  PS -- JJoe, I viewed your proxcert_certonly.pem and it says that the Signature Algorithm is SHA-256 with RSA Encryption. Is that to make browsing easier ? The one I generated and am using says SHA-512, and to be honest, I don't really know what the difference is lol. Thank you..

I just clicked the button. lol
Probably due to our computers and OSs. This computer is old and I don't like to update it.
Something to note, however. Thanks for mentioning it.

[ProxRocks]

(Apr. 13, 2024 08:51 PM)DullFace Wrote:  Does it always crash at address 0x77766c8e? Judging by the address, this is some kind of dll, and not Reborn himself.
BTW, why is your process called "proxomitron.exe"? Is this the patched Reborn?

It's the downloaded .exe, I just renamed to Proxomitron, no patches.

I'll have to see if it's the same address every time.

[Anno Domini]

(Apr. 13, 2024 09:09 PM)JJoe Wrote:  

(Apr. 13, 2024 08:27 PM)Anno Domini Wrote:  Did I do everything correctly ?

That'll work.

Thank you for the confirmation JJoe, it helps a lot, and to Whenever for your observation about 'proxcert_certonly.pem' in post #264 !

[whenever]

(Apr. 13, 2024 06:34 PM)JJoe Wrote:  Opens with my version 4.6.0.5. using the certs generated by either exe.
Fails to load in Edge, Firefox or Opera with 4.7.0.0. and either set of certs.
Same "certs.pem" was used.

Thanks for looking into this. I tested with Firefox only and I got the same result as you.

4.6.0.5 with OpenSSL 1.0.1q works and I can see yomou.syosetu.com in Cached Certificates section of https://local.ptron/.pinfo/ssl/.

4.7.0.0 with OpenSSL 1.0.1q works too.

4.7.0.0 with OpenSSL 3.0.9 doesn't work and and I can NOT see yomou.syosetu.com in Cached Certificates section of https://local.ptron/.pinfo/ssl/.

@amy, can you let new versions moving forward check for OpenSSL 3.x DLLs first and fall back to OpenSSL 1.x if OpenSSL 3.x DLLs are not present? This way I can put new and old proxo.exe, and new and old DLLs in the same directory without having to remove a specific version of DLLs to test another version of Proxo.exe.

[Anno Domini]

Hi there, I can go to ebay.com without any issues, but I am unable to go to ebay.ca with the new Proxo 4.7.0.0. If I bypass Proxo it will go to ebay.ca, but with Proxo enabled it does not. Please see attached photo. I have the latest cacert.pem. Any thoughts ?

[JJoe]

Browsers often let you 'Accept the Risk and Continue' or 'proceed...(unsafe)', etc. This may cause the browser to load the site with the Proxomitron filtering. It does for me.
Of course, the browsers will mark the site as insecure.

For Firefox this exception may be granted by clicking
'Advanced...' then 'Accept the Risk and Continue' on the warning page.

(Apr. 17, 2024 04:12 PM)Anno Domini Wrote:  ...
I am unable to go to ebay.ca with the new Proxo 4.7.0.0.
... Any thoughts ?

[JJoe]

(Apr. 16, 2024 02:49 PM)whenever Wrote:  ...
Thanks for looking into this. I tested with Firefox only and I got the same result as you.
...

No problem. I was hoping to narrow this down for amy.

Maybe the handshake between server and Reborn fails. This causes an incomplete certificate for the browser.
Indeed, googling "OpenSSL 3 handshake fails" turns up "Handshake fails with 3.0.2 & 1.1.1n, but succeeds with 1.1.1" and https://github.com/owncloud/client/issues/11172

But, if I add an exception for the site to the browser, it loads and is filtered...

[whenever]

(Apr. 17, 2024 04:12 PM)Anno Domini Wrote:  Hi there, I can go to ebay.com without any issues, but I am unable to go to ebay.ca with the new Proxo 4.7.0.0. If I bypass Proxo it will go to ebay.ca, but with Proxo enabled it does not. Please see attached photo. I have the latest cacert.pem. Any thoughts ?

This is the same error that happened to https://yomou.syosetu.com/. Proxo 4.7.0.0 with OpenSSL 3.0.9 failed to create site certificates for ebay.ca and yomou.syosetu.com. Instead, Proxo sent the root certificate to the browser and the browser complained.

(Apr. 19, 2024 03:08 AM)JJoe Wrote:  Maybe the handshake between server and Reborn fails.

I don't think it has gone that far yet. If filtering is enabled:

1. Proxo will establish SSL connection with the browser first
2. then extract http request details
3. then establish SSL connection with the remote server.
......

I think the error happens at step 1.

[JJoe]

If it's just between the browser and the Proxomitron, it seems odd to me that "ebay.ca" and "yomou.syosetu.com" always fail but "ebay.cn" and "blog.syosetu.com" haven't failed yet. All the ca domains (amazon.ca, yahoo.ca, etc) that I have tried worked, as did the ebay domains.

Curious.

(Apr. 20, 2024 02:55 AM)whenever Wrote:  I don't think it has gone that far yet. If filtering is enabled:


1. Proxo will establish SSL connection with the browser first
2. then extract http request details
3. then establish SSL connection with the remote server.
......

I think the error happens at step 1.

[whenever]

That's what I called a bug. You can give Proxomitron a parent proxy which has a log function and compare the traffic.

[Anno Domini]

I'm glad you guys, JJoe and Whenever, see what I'm talking about. You are correct. Using Proxo 4.7.0.0 with OpenSSL 3.0.9 causes a certificate error for ebay.ca. It warns that 'www.ebay.ca uses an invalid security certificate,' but this error does not occur visiting ebay.com, or amazon.ca, etc. All I can add is that as a laymen Proxomitron user, who doesn't understand all the technical details, reading, 'If you visit this site (ebay.ca), attackers could try to steal information like your passwords, emails, or credit card details.' is daunting. :-(

[JJoe]

(Apr. 13, 2024 01:26 PM)whenever Wrote:  ...Is below expected with the default setting?...

Code:

curl -s -S -v -o /dev/null --no-progress-meter --insecure --tls-max 1.2  --ciphers ECDHE-ECDSA-AES128-GCM-SHA256 https://127.0.0.1:8443/ProxyLogo.jpg
*   Trying 127.0.0.1:8443...
* Connected to 127.0.0.1 (127.0.0.1) port 8443
* schannel: disabled automatic use of client certificate
* schannel: Failed setting algorithm cipher list
* Closing connection
curl: (59) schannel: Failed setting algorithm cipher list

...

This may apply.

https://curl.se/docs/ssl-ciphers.html Wrote:Schannel allows the enabling and disabling of encryption algorithms, but not specific cipher suites, prior to TLS 1.3. The algorithms are defined by Microsoft.

But I don't know how Schannel responds when you try to specific cipher suites, prior to TLS 1.3.
I didn't know it was on this computer.

So, I downloaded the latest curl and

Code:

C:\curl-8.7.1_7-win64-mingw\bin>curl -s -S -v -o /dev/null --no-progress-meter --insecure --tls-max 1.2  --ciphers ECDHE-ECDSA-AES128-GCM-SHA256 https://127.0.0.1:8443/ProxyLogo.jpg
*   Trying 127.0.0.1:8443...
* Connected to 127.0.0.1 (127.0.0.1) port 8443
* ALPN: curl offers h2,http/1.1
* Cipher selection: ECDHE-ECDSA-AES128-GCM-SHA256
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [115 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* LibreSSL/3.9.1: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
* Closing connection
curl: (35) LibreSSL/3.9.1: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

and

Code:

C:\curl-8.7.1_7-win64-mingw\bin>curl -s -S -v -o /dev/null --no-progress-meter --insecure https://127.0.0.1:8443/ProxyLogo.jpg
*   Trying 127.0.0.1:8443...
* Connected to 127.0.0.1 (127.0.0.1) port 8443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [286 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Unknown (8):
{ [6 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [648 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [136 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: O=Proxomitron; OU=Filtering; CN=local.ptron
*  start date: Apr 13 14:02:33 2024 GMT
*  expire date: Apr 13 14:02:33 2029 GMT
*  issuer: CN=Proxomitron SSL Filtering Root CA; OU=SSL Filtering; O=Proxomitron; ST=FL; C=US
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type ? (1024/80 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET /ProxyLogo.jpg HTTP/1.1
> Host: 127.0.0.1:8443
> User-Agent: curl/8.7.1
> Accept: */*

Not related but notable for new schannel users like me.

https://curl.se/docs/ssl-ciphers.html Wrote:TLS 1.3 ciphers are supported since curl 7.61 for OpenSSL 1.1.1+, and since curl 7.85 for Schannel with options CURLOPT_TLS13_CIPHERS and --tls13-ciphers . If you are using a different SSL backend you can try setting TLS 1.3 cipher suites by using the respective regular cipher option.

HTH

[amy]

Proxomitron Reborn 4.7.0.1 has been released with a few changes:

- Fix certificate generation
A few sites you reported here weren't working due to OpenSSL 3's stricter certificate parsing (this is actually another discernable difference between OpenSSL and browser's SSL clients). It was happening with very low probability depending on the hostname, so I didn't catch it earlier. Note that in the future, you can enable "Misc. information" in the Log Window to see more details about certificate generation information and errors.

- Show SslCiphers and ServerCiphers in status page
Requested by whenever.

- Attempt to load OpenSSL 3.x before 1.x
Requested by whenever.

- Edited documentation
Updated the configuration dialog pages as remarked upon by whenever.

(Apr. 09, 2024 01:20 PM)DullFace Wrote:  

(Apr. 09, 2024 03:08 AM)amy Wrote:  it just closes the connection without replying with any data.

I tried to play with OpenSSL 3.2.1:

>openssl s_client -connect archive.ph:443
It connects to 90.156.209.190, shows some info and i able to enter something.
Entering "R" gives "RENEGOTIATING", OpenSSL stops accepting input and connection closes after some timeout (not 7200 seconds).
No reaction on input like "GET / HTTP/1.0".

>openssl s_client -connect archive.ph:443 -fallback_scsv
That option makes difference: when i'm entering "GET / HTTP/1.0", "Host: archive.ph" and empty line, it returns headers with html page and closes connection.

Thanks for figuring out the difference. Adding that fallback_scsv at the right time is not something that using OpenSSL makes it easy to do, unfortunately, and so is another difference that can be used to distinguish Proxomitron from a browser. I am thinking of a solution to this and the other discrepancies, but it won't be easy.

(Apr. 13, 2024 01:26 PM)whenever Wrote:  What about showing the adopted values of ServerCiphers and SslCiphers in the "SSL/TLS Information" section of https://local.ptron/.pinfo/ssl/? That way we can know if user defined or default settings are applied depending on if there are errors in user defined settings.

Added to 4.7.0.1.

(Apr. 13, 2024 01:26 PM)whenever Wrote:  Also, is ServerCiphers applied to the built in https server? Is below expected with the default setting?

Yes. I'm not sure how schannel's ciphersuite lists work, but they might not be the same as what OpenSSL accepts.

(Apr. 13, 2024 01:26 PM)whenever Wrote:  Lastly, are you able to visit https://yomou.syosetu.com/ with default settings? From https://local.ptron/.pinfo/ssl/ I can see no site certificate is created for yomou.syosetu.com.

Certificate generation bug, fixed in 4.7.0.1. Thanks for reporting.

(Apr. 16, 2024 02:49 PM)whenever Wrote:  @amy, can you let new versions moving forward check for OpenSSL 3.x DLLs first and fall back to OpenSSL 1.x if OpenSSL 3.x DLLs are not present? This way I can put new and old proxo.exe, and new and old DLLs in the same directory without having to remove a specific version of DLLs to test another version of Proxo.exe.

Changed in 4.7.0.1. (I was renaming the 1.0.x DLLs to switch between them and 3.x, but your way works just as well, and it does seem to make more sense to load the latest OpenSSL version it can find.)

(Apr. 17, 2024 04:12 PM)Anno Domini Wrote:  Hi there, I can go to ebay.com without any issues, but I am unable to go to ebay.ca with the new Proxo 4.7.0.0. If I bypass Proxo it will go to ebay.ca, but with Proxo enabled it does not. Please see attached photo. I have the latest cacert.pem. Any thoughts ?

Certificate generation bug fixed in 4.7.0.1. The probability of getting a hostname that hit the bug was really low.

[DullFace]

(Apr. 23, 2024 04:52 AM)amy Wrote:  Adding that fallback_scsv at the right time is not something that using OpenSSL makes it easy to do, unfortunately, and so is another difference that can be used to distinguish Proxomitron from a browser. I am thinking of a solution to this and the other discrepancies, but it won't be easy.

At that time, curl 8.4.0 (from the windows 10 distribution) worked without a proxy. Reborn 4.7.0.0 is also working now.

Code:

>curl -V
curl 8.4.0 (Windows) libcurl/8.4.0 Schannel WinIDN
Release-Date: 2023-10-11
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
Features: AsynchDNS HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI threadsafe Unicode UnixSockets

[JJoe]

Does Reborn generate a ECDSA certificate for the ECDSA cipher suites?

Which OpenSSL binary would you prefer for testing?
https://wiki.openssl.org/index.php/Binaries

(Apr. 22, 2024 02:04 PM)JJoe Wrote:  ...
So, I downloaded the latest curl and

Code:

C:\curl-8.7.1_7-win64-mingw\bin>curl -s -S -v -o /dev/null --no-progress-meter --insecure --tls-max 1.2  --ciphers ECDHE-ECDSA-AES128-GCM-SHA256 https://127.0.0.1:8443/ProxyLogo.jpg
*   Trying 127.0.0.1:8443...
* Connected to 127.0.0.1 (127.0.0.1) port 8443
* ALPN: curl offers h2,http/1.1
* Cipher selection: ECDHE-ECDSA-AES128-GCM-SHA256
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [115 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* LibreSSL/3.9.1: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
* Closing connection
curl: (35) LibreSSL/3.9.1: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

...