[Privoxy-devel] HTTPS filtering in Privoxy

Fabian Keil fk at fabiankeil.de
Mon May 25 09:28:16 UTC 2020 

Vašek Švec <va.svec at gmail.com> wrote:

> I implemented filtering of incoming data from server over HTTPS in
> Privoxy in 2017. We were mailing about it in 2017 in this mailing list,
> but I hadn't enough time to fix all your comments. Now I rebased previous
> improvements to Privoxy 3.0.28 and I made some other improvements in my
> master thesis. I would like to offer you these improvements to potential
> publication in official Privoxy sources.

Great.

A modified version of your previous patch was already committed
in 2019 and was followed by a bunch of fixes and improvements.

It will be part of the next Privoxy release once a few remaining
issues have been fixed.

> Current version of my improvements offers:
> 
>    - Filtering of all data transmitted over HTTPS. (Client's requests and
>    server's responses)
>    - Server certificate check and sending information about failure to
> the client. (already in version from 2017)
>    - CGI interface over HTTPS
>    - HTTPS sessions reusing (TLS connections are being reused for more
> than one client's request to the same web server)
>       - It reduces the time to load web page over HTTPS
>    - HTTPS sessions sharing (the same principle as current
>    connection-sharing for TCP connections)
>    - Used cryptographic library LibreSSL or MbedTLS
>    - LibreSSL supports to set value of Subject Alternative Name in
>       generated certificates, so it's compatible with modern web
> browsers.
>       - User can select LibreSSL, MbedTLS or no cryptographic library in
>       ./configure script using new switches.
>    - Configuration
>       - Usage of ssl tunnel for specified urls (already in version from
>       2017)
>       - Ignoring server certificate errors for specified urls  (already
> in version from 2017)
>       - Specification of cipher list for specified urls
> 
> I can offer you patch file for each commit (84 patch files) if you are
> interested in. They include adaptation of the original changes from
> Privoxy version 3.0.26 to version 3.0.28 and new improvements.

I'm obviously interested.

Could you rebase your changes on Privoxy's git version, though?

You can get it with: git clone https://www.privoxy.org/git/privoxy.git
To enable the https inspection code, configure with --with-mbedtls.

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20200525/2b8fd7fa/attachment.bin>

More information about the Privoxy-devel mailing list