Proxomitron Reborn

[Anno Domini]

(Jul. 06, 2023 04:44 AM)amy Wrote:  I just wanted to share some progress

...amazing progress thus far !!! Amy is the MAN ! I mean, the WOMAN ! :-)

[dsgfh543]

Amy, please, upload whatever last versions you got. Regardless stability and bugs.
Dont let it end like this.

[amy]

I wanted to fix an odd intermittent failure to connect error with OpenSSL 3.x before doing anything more, but as usual, real life got in the way again

[amy]

Happy Easter! Proxomitron Reborn 4.7.0.0 has been released!

Changes:
- Fix O and ST exchanged in certificate generator
A minor cosmetic bug, thanks to mizzmona for spotting it!

- Save log flags to config
The existing log settings will be reused when the config is saved. Requested by val.

- Show log window icon in Alt+Tab windows list
Self-explanatory. Requested by DullFace.

- OpenSSL 3.0.x support (see here for new OpenSSL DLLs - I have split them into two parts, one for libcrypto-3.dll and the other for libssl-3.dll, since they were too big combined.)
Use the new DLLs and enjoy TLS 1.3 support! Proxomitron remains backwards-compatible with 1.0.x OpenSSL DLLs if you still need to use them for some reason.

- Enable configuration of server cipherlist via ServerCiphers
"Hidden" configuration file option "ServerCiphers" in the global section was also added to allow configuring what ciphersuites OpenSSL allows for a browser connecting to Proxomitron; it is worth making this as permissive as possible to enable wide backwards-compatibility, since the security of a local browser-Proxomitron connection is really irrelevant.

- Make generated certificates' dates match root
Appease picky browsers that don't like it when certificates' validities extend beyond their signers'.

- Fix race condition that may lead to inconsistent connection numbering
Fix for a rare intermittent bug that may be causing connections to not always be closed correctly.

- Fix content length determination for 204 and 1xx responses
Now Proxomitron doesn't hang open connections if a 204 or 1xx response is received from the server.

- Correct length in Recent URLs for chunked transfer encoding
If the server uses Chunked transfer encoding, Proxomitron would previously only show "0" as the content length in the Recent URLs list. Now it will show the correct length of the data transferred.

- Fix forced filtering of compressed content
Old bugfix requested by whenever. $FILTER() should now work correctly even on compressed content (which will also be decompressed before filtering.)

- Add custom icons feature
Requested by DullFace. Place respectively "proxo.ico", "proxo_log.ico", "proxo_tray.ico", and "proxo_trayb.ico" in Proxomitron's directory to change the icon used for the main window, log window, tray icon, and tray-bypassed icon. Icons are read upon startup and used if present; otherwise, the default icon is used.

- Edited documentation
Included in the 4.7R+ release is the old set of documentation from Scott, edited to fix minor spelling and grammar errors, and with some additions and relevantly updated commentary on using Proxomitron Reborn in this era of the ever-more-user-hostile "modern web".

As always, I hope you enjoy this release and continue to report any bugs or feature requests - I have finally some more time to work on Proxomitron Reborn again, and plan to implement at least a few more of the ideas we've come up with for future enhancements.

[whenever]

Thank you very much for this huge update. TLS 1.3 support is going to extend Proxomitron's life by another decade. Long live Proxomitron!

(Apr. 02, 2024 05:09 AM)amy Wrote:  - Enable configuration of server cipherlist via ServerCiphers

What's the default if we don't set it? Under what circumstances do we need to set this option?

(Apr. 02, 2024 05:09 AM)amy Wrote:  I have finally some more time to work on Proxomitron Reborn again, and plan to implement at least a few more of the ideas we've come up with for future enhancements.

Do you mind sharing what we can expect next?

Lastly, is there anything me or the community can do to help with the process? Obviously most of us don't have the programming skill but I really want to buy you a beer or do something to express my gratitude.

[whenever]

(Apr. 02, 2024 05:09 AM)amy Wrote:  - Edited documentation

"The Configuration Dialog - HTTPS" page (CfgT6.html) is an important addition but for now only the 2 pages listed below have links to it on their top right menu, which is easy to ignore.

• CfgT5.html
• External Proxy Dialog.html
  

Maybe we update those CfgT[1-5].jpg to reflect the new HTTPS tab?

[JJoe]

So far, it appears to be running better than the last release. The old OpenSSL DLL may have been causing the problems I attributed to my cfg, I hope.

(Apr. 02, 2024 05:09 AM)amy Wrote:  "ServerCiphers" in the global section was also added to allow configuring what ciphersuites OpenSSL allows for a browser connecting to Proxomitron;

How do I format the ciphersuite name in the global section?
I've tried

Code:

ServerCiphers = "TLS_DHE_RSA_WITH_AES_128_CCM"
ServerCiphers = "TLS-DHE-RSA-WITH-AES-128-CCM"
ServerCiphers = "AESCCM"

and more. Inserted before and after

Code:

SslCiphers = "AESGCM:AESCCM:CHACHA20:!RSA:@STRENGTH"

Accompanied by restart of Reborn.
No joy. The browsers show same cipher as site.
I didn't try without quotes, however...

My thought was to use the quickest, cpu friendly cipher for the browser connection.


ATBFAQs?:
Results of SslCiphers setting may be seen at https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
Remove or rename the old "libeay32.dll" and add the new dlls.
libcrypto-3.dll and libssl-3.dll at https://prxbx.com/forums/showthread.php?tid=2179&pid=18693#pid18693

  RebornDefaultProtocolFeatures-clienttest.ssllabs.com8443ssltestviewMyClient.html.jpg (Size: 304.13 KB / Downloads: 22)

  RebornSslCiphersModProtocolFeatures-clienttest.ssllabs.com8443ssltestviewMyClient.html.jpg (Size: 176.07 KB / Downloads: 21)
ATBFAQs? =Answers To Be Frequently Asked Questions?

[DullFace]

Reborn 4.7.0.0 with OpenSSL 3.0.9 don't works with archive.ph. Other TLS 1.3 sites works.

>curl -o test2 --insecure --proxy 127.0.0.1:1234 "https://archive.ph/"

[amy]

(Apr. 07, 2024 07:41 AM)whenever Wrote:  What's the default if we don't set it? Under what circumstances do we need to set this option?

ALL:!3DES:!DES:!eNULL:!aNULL:@STRENGTH. You only need to change it if browser (too new) complains about the server being insecure, or cannot connect (too old).

(Apr. 07, 2024 07:41 AM)whenever Wrote:  Do you mind sharing what we can expect next?

No specifics at the moment, but just look through the previous pages at what hasn't been implemented yet, for an idea of what might come next.

(Apr. 07, 2024 07:41 AM)whenever Wrote:  Lastly, is there anything me or the community can do to help with the process? Obviously most of us don't have the programming skill but I really want to buy you a beer or do something to express my gratitude.

I don't really expect anything from y'all, but you can continue using Proxomitron Reborn and reporting bugs/requesting features. In a similar spirit to Scott, I'm doing this mainly because I use it myself and just sharing what I've done.

(Apr. 07, 2024 09:00 AM)whenever Wrote:  "The Configuration Dialog - HTTPS" page (CfgT6.html) is an important addition but for now only the 2 pages listed below have links to it on their top right menu, which is easy to ignore.

• CfgT5.html
• External Proxy Dialog.html
  

Maybe we update those CfgT[1-5].jpg to reflect the new HTTPS tab?

Point noted, will do with the next release.

(Apr. 08, 2024 04:13 AM)JJoe Wrote:  How do I format the ciphersuite name in the global section?
I've tried

Code:

ServerCiphers = "TLS_DHE_RSA_WITH_AES_128_CCM"
ServerCiphers = "TLS-DHE-RSA-WITH-AES-128-CCM"
ServerCiphers = "AESCCM"

and more. Inserted before and after

Code:

SslCiphers = "AESGCM:AESCCM:CHACHA20:!RSA:@STRENGTH"

Accompanied by restart of Reborn.
No joy. The browsers show same cipher as site.
I didn't try without quotes, however...

It's the same format as SslCiphers, an OpenSSL cipherlist, see here for the details: https://www.openssl.org/docs/man3.0/man1...phers.html

If you modify SslCiphers then SSL-testing sites will see the changes, but if you modify ServerCiphers, they won't, because ServerCiphers only affects the browser-proxy communication.

(Apr. 08, 2024 08:42 AM)DullFace Wrote:  Reborn 4.7.0.0 with OpenSSL 3.0.9 don't works with archive.ph. Other TLS 1.3 sites works.

>curl -o test2 --insecure --proxy 127.0.0.1:1234 "https://archive.ph/"

That's an interesting one. I used openssl s_client to test and it connects successfully, negotiating TLS 1.2, ECDHE-ECDSA-AES256-GCM-SHA384, but upon trying to send it the exact same request my browser did (which works), it just closes the connection without replying with any data. With Proxomitron Reborn as the client, and the same request, the connection hangs until the timeout. I suspect they may be doing some sort of TLS fingerprinting to detect "non-browser" connections. I get the same results with the old OpenSSL 1.0.1 I was using before, so it's not a newly introduced bug. It might take a while to fix if it is fine-grained TLS fingerprinting. I have some posts in https://www.prxbx.com/forums/showthread.php?tid=2623 with more thoughts on that. Continuing to use OpenSSL for the base crypto primitives and implementing my own SSL/TLS layer might be the most flexible path forward, but even without needing to write my own actual crypto code (very difficult and error-prone, although maybe not as much as the gatekeepers want us to think...), obviously not trivial.

[ProxRocks]

(Apr. 08, 2024 04:13 AM)JJoe Wrote:  ATBFAQs?:
libcrypto-3.dll and libssl-3.dll at https://prxbx.com/forums/showthread.php?tid=2179&pid=18693#pid18693


ATBFAQs? =Answers To Be Frequently Asked Questions?

What are these libcrypto-3.dll and libssl-3.dll files?
I am not seeing when/where these were "added".

[JJoe]

(Apr. 02, 2024 05:09 AM)amy Wrote:  Happy Easter! Proxomitron Reborn 4.7.0.0 has been released!

Changes:
...

- OpenSSL 3.0.x support (see here for new OpenSSL DLLs - I have split them into two parts, one for libcrypto-3.dll and the other for libssl-3.dll, since they were too big combined.)
Use the new DLLs and enjoy TLS 1.3 support! Proxomitron remains backwards-compatible with 1.0.x OpenSSL DLLs if you still need to use them for some reason.

...

(Apr. 09, 2024 09:39 AM)ProxRocks Wrote:  ...
What are these libcrypto-3.dll and libssl-3.dll files?
I am not seeing when/where these were "added".

[DullFace]

(Apr. 09, 2024 03:08 AM)amy Wrote:  it just closes the connection without replying with any data.

I tried to play with OpenSSL 3.2.1:

>openssl s_client -connect archive.ph:443
It connects to 90.156.209.190, shows some info and i able to enter something.
Entering "R" gives "RENEGOTIATING", OpenSSL stops accepting input and connection closes after some timeout (not 7200 seconds).
No reaction on input like "GET / HTTP/1.0".

>openssl s_client -connect archive.ph:443 -fallback_scsv
That option makes difference: when i'm entering "GET / HTTP/1.0", "Host: archive.ph" and empty line, it returns headers with html page and closes connection.

[JJoe]

(Apr. 09, 2024 03:08 AM)amy Wrote:  ....

(Apr. 08, 2024 08:42 AM)DullFace Wrote:  Reborn 4.7.0.0 with OpenSSL 3.0.9 don't works with archive.ph. Other TLS 1.3 sites works.

>curl -o test2 --insecure --proxy 127.0.0.1:1234 "https://archive.ph/"

That's an interesting one.

Could also be a combination of misconfiguration and network errors that the browsers usually manage to work around. Site did fail to load once during testing without Reborn.
https://www.ssllabs.com/ssltest/analyze.html?d=archive.ph&hideResults=on reported "Assessment failed: Unable to connect to the server". None of the online analyzers that I used produced a error free report.

https://www.ssllabs.com/ssltest/analyze....Results=on Wrote:Known Problems

There are some errors that we cannot fix properly in the current version. They will be addressed in the next generation version, which is currently being developed.

No secure protocols supported - if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the "www" prefix (e.g., "www.ssllabs.com", not just "ssllabs.com").
no more data allowed for version 1 certificate - the certificate is invalid; it is declared as version 1, but uses extensions, which were introduced in version 3. Browsers might ignore this problem, but our parser is strict and refuses to proceed. We'll try to find a different parser to avoid this problem.
Failed to obtain certificate and Internal Error - errors of this type will often be reported for servers that use connection rate limits or block connections in response to unusual traffic. Problems of this type are very difficult to diagnose. If you have access to the server being tested, before reporting a problem to us, please check that there is no rate limiting or IDS in place.
NetScaler issues - some NetScaler versions appear to reject SSL handshakes that do not include certain suites or handshakes that use a few suites. If the test is failing and there is a NetScaler load balancer in place, that's most likely the reason.
Unexpected failure - our tests are designed to fail when unusual results are observed. This usually happens when there are multiple TLS servers behind the same IP address. In such cases we can't provide accurate results, which is why we fail.

Common Error Messages
...
...
Unable to connect to server - failed to connect to the server, it usually happens due to firewall restrictions

[JJoe]

(Apr. 09, 2024 01:20 PM)DullFace Wrote:  ...
>openssl s_client -connect archive.ph:443
It connects to 90.156.209.190, ...

https://www.ssllabs.com/ssltest/analyze.html?d=www.archive.ph&hideResults=on reports 78.108.190.21

[DullFace]

(Apr. 09, 2024 01:32 PM)JJoe Wrote:  reports 78.108.190.21

DNS servers 1.1.1.1, 8.8.8.8, 9.9.9.9 and other gives different results :-D