Post Reply 
ProxHTTPSProxyMII: Reloaded
Sep. 17, 2018, 01:15 AM (This post was last modified: Sep. 17, 2018 01:17 AM by Sudenr.)
Post: #286
RE: ProxHTTPSProxyMII: Reloaded
(Sep. 16, 2018 06:37 PM)vlad_s Wrote:  is it possible to specify the time when the certificate should start validating more early, rather than at the time the certificate was generated?

Yep. In CertTool.py change lines
Code:
cert.gmtime_adj_notBefore(0)
to
Code:
cert.gmtime_adj_notBefore(-60 * 60 * 24 * 2)
and all your new certificates will be generated two days ago from current time
Add Thank You Quote this message in a reply
[-] The following 1 user says Thank You to Sudenr for this post:
vlad_s
Sep. 17, 2018, 01:20 AM (This post was last modified: Sep. 17, 2018 01:21 AM by Sudenr.)
Post: #287
RE: ProxHTTPSProxyMII: Reloaded
There are also one thing that bothers me. Don't you think, that default encryption between browser and ProxHTTPSProxyMII is too powerful? Really, AES256-GCM for localhost is a little... excessively.
Ciphersuite for connection to front-proxy can be set in ProxHTTPSProxy.py line
Code:
ssl_sock = ssl.wrap_socket(self.connection, keyfile=dummycert, certfile=dummycert, server_side=True)
by change it like
Code:
ssl_sock = ssl.wrap_socket(self.connection, ciphers='ECDHE-ECDSA-AES128-GCM-SHA256', keyfile=dummycert, certfile=dummycert, server_side=True)
It's better to use ECDHE-ECDSA-AES128-GCM-SHA256 if CPU have AES-NI, ECDH+CHACHA20 if AES acceleration unavailable or even !aNULL for avoiding double encrypt-decrypt if connection security managed by upstream proxy like compy
So, maybe ciphersuite selection option should be placed in config.ini as advanced option?
Add Thank You Quote this message in a reply
Sep. 17, 2018, 12:34 PM
Post: #288
RE: ProxHTTPSProxyMII: Reloaded
(Sep. 17, 2018 01:15 AM)Sudenr Wrote:  
(Sep. 16, 2018 06:37 PM)vlad_s Wrote:  is it possible to specify the time when the certificate should start validating more early, rather than at the time the certificate was generated?

Yep. In CertTool.py change lines
Code:
cert.gmtime_adj_notBefore(0)
to
Code:
cert.gmtime_adj_notBefore(-60 * 60 * 24 * 2)
and all your new certificates will be generated two days ago from current time
Ok, it works.
Add Thank You Quote this message in a reply
Sep. 19, 2018, 04:38 PM
Post: #289
RE: ProxHTTPSProxyMII: Reloaded
It is impossible to open the site just.ru and rbt.ru, while in the section [SSL Pass-Thru] is not added *.variti.de. The script from *.variti.de is loaded normally in any case. So I did not understand who was to blame for the privoxy or proxhttpsproxy.
Add Thank You Quote this message in a reply
Sep. 20, 2018, 07:28 AM
Post: #290
RE: ProxHTTPSProxyMII: Reloaded
(Sep. 19, 2018 04:38 PM)vlad_s Wrote:  who was to blame for the privoxy or proxhttpsproxy.
Privoxy. I do not use it's default filters and actions, and both sites load normally.
Add Thank You Quote this message in a reply
Sep. 20, 2018, 03:59 PM
Post: #291
RE: ProxHTTPSProxyMII: Reloaded
In the config privoxy I commented out all filter and action and it did not help Sad. Only the [SSL Pass-Thru] section helps, then *.variti.de can be removed from there and some time works.
Add Thank You Quote this message in a reply
Sep. 20, 2018, 06:03 PM
Post: #292
RE: ProxHTTPSProxyMII: Reloaded
Did you try regenerate *.variti.de certificate? What's in your ProxHTTPSProxy log, when you go to variti.de?
Add Thank You Quote this message in a reply
Sep. 21, 2018, 12:03 PM
Post: #293
RE: ProxHTTPSProxyMII: Reloaded
(Sep. 17, 2018 01:20 AM)Sudenr Wrote:  There are also one thing that bothers me. Don't you think, that default encryption between browser and ProxHTTPSProxyMII is too powerful? Really, AES256-GCM for localhost is a little... excessively.
Ciphersuite for connection to front-proxy can be set in ProxHTTPSProxy.py line
Code:
ssl_sock = ssl.wrap_socket(self.connection, keyfile=dummycert, certfile=dummycert, server_side=True)
by change it like
Code:
ssl_sock = ssl.wrap_socket(self.connection, ciphers='ECDHE-ECDSA-AES128-GCM-SHA256', keyfile=dummycert, certfile=dummycert, server_side=True)
It's better to use ECDHE-ECDSA-AES128-GCM-SHA256 if CPU have AES-NI, ECDH+CHACHA20 if AES acceleration unavailable or even !aNULL for avoiding double encrypt-decrypt if connection security managed by upstream proxy like compy
So, maybe ciphersuite selection option should be placed in config.ini as advanced option?
Unfortunately I don't think many, if any, browsers will like to use null SSL. Perhaps the weakest cipher they accept would be ideal, but that seems to change frequently.
Add Thank You Quote this message in a reply
Sep. 21, 2018, 04:50 PM
Post: #294
RE: ProxHTTPSProxyMII: Reloaded
(Sep. 21, 2018 12:03 PM)amy Wrote:  Unfortunately I don't think many, if any, browsers will like to use null SSL. Perhaps the weakest cipher they accept would be ideal, but that seems to change frequently.
It's not for browsers, it's for another proxy, if they encrypt connection by themselves.
Add Thank You Quote this message in a reply
Sep. 23, 2018, 10:42 PM
Post: #295
RE: ProxHTTPSProxyMII: Reloaded
(Sep. 20, 2018 06:03 PM)Sudenr Wrote:  Did you try regenerate *.variti.de certificate? What's in your ProxHTTPSProxy log, when you go to variti.de?
With proxhttps, the script loads, if I just try to download it (by link). But when I open those sites, the problem also arises. The log is empty (no errors).
Add Thank You Quote this message in a reply
Sep. 25, 2018, 08:39 PM
Post: #296
RE: ProxHTTPSProxyMII: Reloaded
(Sep. 23, 2018 10:42 PM)vlad_s Wrote:  The log is empty (no errors).
Open browser network console (F12) and reload page. Is there CORS related errors?
Add Thank You Quote this message in a reply
Sep. 29, 2018, 07:26 AM (This post was last modified: Sep. 29, 2018 07:27 AM by vlad_s.)
Post: #297
RE: ProxHTTPSProxyMII: Reloaded
(Sep. 25, 2018 08:39 PM)Sudenr Wrote:  
(Sep. 23, 2018 10:42 PM)vlad_s Wrote:  The log is empty (no errors).
Open browser network console (F12) and reload page. Is there CORS related errors?
There are no errors, just the script with variti.de reloads all the time.
Add Thank You Quote this message in a reply
Oct. 14, 2018, 08:28 AM (This post was last modified: Oct. 14, 2018 08:39 AM by vlad_s.)
Post: #298
RE: ProxHTTPSProxyMII: Reloaded
There is a similar problem with the site cdek.ru, with opening it redirects to ohio8.vchecks.me and so on to infinity. If in [SSL Passs-Thru] add ohio8.vchecks.me, then the site opens. Ohio8.vchecks.me added to the privoxy and use filters
Code:
{fragile \
}
ohio8.vchecks.me/
It seems to be turning off filtering. But it does not help.
There are errors in the log:
Code:
[11:34] 260 ProxHTTPSProxyMII FrontProxy/v1.5 [Errno 32] Broken pipe
[11:34] 266 ProxHTTPSProxyMII FrontProxy/v1.5 [Errno 32] Broken pipe
[11:35] 275 ProxHTTPSProxyMII FrontProxy/v1.5 [Errno 32] Broken pipe
[11:35] 285 ProxHTTPSProxyMII FrontProxy/v1.5 [Errno 32] Broken pipe
[11:36] 288 ProxHTTPSProxyMII FrontProxy/v1.5 [Errno 32] Broken pipe
Etc. Three-digit number grows.
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: