[Privoxy-devel] https-inspection challenges

Fabian Keil fk at fabiankeil.de
Thu Jun 18 11:31:42 UTC 2020 

Lee <ler762 at gmail.com> wrote:

> On 6/5/20, Fabian Keil <fk at fabiankeil.de> wrote:
> > Roland Rosenfeld <roland at spinnaker.de> wrote:
> >
> >> While most broken SSL sites were correctly detected, on
> >> https://revoked.badssl.com/ privoxy doesn't notice that the
> >> certificate has been revoked.
> >
> > That's the currently expected behaviour. Privoxy
> > currently does not check for revoked certificates.
> >
> > I don't know how much work implementing this would be.
> >
> > I can also access the page just fine without Privoxy using
> > Firefox and curl so I guess Privoxy is not alone here.
> 
> hrmm... for Firefox (on Windows)
>    https://revoked.badssl.com/
> gives me
> 
> Secure Connection Failed
> An error occurred during a connection to revoked.badssl.com. Peer’s
> Certificate has been revoked. Error code:
> SEC_ERROR_REVOKED_CERTIFICATE

Turns out I set security.OCSP.enabled=0.
Presumable so Firefox phones home less often.

> >> I think that I will build the next Debian package with mbedtls enabled
> >> and maybe with ca and certs directories preinstalled with correct
> >> permissions and maybe a little README, that explains onboarding (what
> >> directories have to exist with what permissions and how to create a CA
> >> key/cert pair on Debian and where you will find a trusted-cas-file on
> >> Debian etc.).
> 
> Instead of a README, how about putting it in the user manual?
> If you don't want to deal with the docbook ick just send me the file &
> I can add it to the user manual for you.
> 
> Fabian, what do you think of changing
> file:///C:/cygwin/source/privoxy/privoxy/doc/webserver/user-manual/config.html#TLS
> 
> 7.7. TLS/SSL
> 
> to
> 
> 7.7. TLS/SSL Inspection
> 
> and documenting the { +https-inspection } action there?

Makes sense to me.

> How much work would it be to add support for the GnuTLS library?

Most of the mbedTLS code is in ssl.c. The file could be
copied and the function bodies replaced with GnuTLS code.

>                                                                   The
> ability to do TLS inspection is great, but it'd also be nice to blend
> in with normal FF/TorBrowser users - for example, compare the results
> from
> https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
> 
> FF and the tor browser look the same (for me on windows) using TLS 1.3
> and a small set of Cipher Suites, but with privoxy configured with
> 
> { +https-inspection }
> .ssllabs.com/
> 
> I get very different results.
> 
> It doesn't look like tls 1.3 is planned for mbed-tls any time soon,
> but could we at least turn off/disable all/most of those 'extra'
> cipher suites?

Vašek's patch set "Added ciphersuites configuration using Mbed TLS." (Patch 81):
https://www.fabiankeil.de/sourcecode/privoxy/vaclav-svec-ssl-patches-based-on-v_3_0_28.diff
so this seems doable.

I think it can wait until the next release, though.

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20200618/706bf83f/attachment.bin>

More information about the Privoxy-devel mailing list