[Privoxy-devel] https-inspection challenges

Lee ler762 at gmail.com
Wed Jun 17 18:00:03 UTC 2020 

On 6/5/20, Fabian Keil <fk at fabiankeil.de> wrote:
> Roland Rosenfeld <roland at spinnaker.de> wrote:
>
>> While most broken SSL sites were correctly detected, on
>> https://revoked.badssl.com/ privoxy doesn't notice that the
>> certificate has been revoked.
>
> That's the currently expected behaviour. Privoxy
> currently does not check for revoked certificates.
>
> I don't know how much work implementing this would be.
>
> I can also access the page just fine without Privoxy using
> Firefox and curl so I guess Privoxy is not alone here.

hrmm... for Firefox (on Windows)
   https://revoked.badssl.com/
gives me

Secure Connection Failed
An error occurred during a connection to revoked.badssl.com. Peer’s
Certificate has been revoked. Error code:
SEC_ERROR_REVOKED_CERTIFICATE


>> I think that I will build the next Debian package with mbedtls enabled
>> and maybe with ca and certs directories preinstalled with correct
>> permissions and maybe a little README, that explains onboarding (what
>> directories have to exist with what permissions and how to create a CA
>> key/cert pair on Debian and where you will find a trusted-cas-file on
>> Debian etc.).

Instead of a README, how about putting it in the user manual?
If you don't want to deal with the docbook ick just send me the file &
I can add it to the user manual for you.

Fabian, what do you think of changing
file:///C:/cygwin/source/privoxy/privoxy/doc/webserver/user-manual/config.html#TLS

7.7. TLS/SSL

to

7.7. TLS/SSL Inspection

and documenting the { +https-inspection } action there?


How much work would it be to add support for the GnuTLS library?  The
ability to do TLS inspection is great, but it'd also be nice to blend
in with normal FF/TorBrowser users - for example, compare the results
from
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

FF and the tor browser look the same (for me on windows) using TLS 1.3
and a small set of Cipher Suites, but with privoxy configured with

{ +https-inspection }
.ssllabs.com/

I get very different results.

It doesn't look like tls 1.3 is planned for mbed-tls any time soon,
but could we at least turn off/disable all/most of those 'extra'
cipher suites?

Lee

More information about the Privoxy-devel mailing list