[Privoxy-users] [privoxy-3.0.33] Can't get https-inspection to work (PR_END_OF_FILE_ERROR)
avoidr
avoidr at posteo.de
Thu Sep 22 16:30:49 CEST 2022
Hello everyone,
I'm having trouble setting up https-inspection and I don't know how to
further troubleshoot.
Currently I am getting an error in Firefox that says:
```
Secure Connection Failed
An error occurred during a connection to example.com. PR_END_OF_FILE_ERROR
- The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified.
```
curl output:
```
$ http_proxy=127.0.0.1:8118 https_proxy=127.0.0.1:8118 curl -I https://example.com/
HTTP/1.1 200 Connection established
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
```
I've searched the web, and it suggested that PR_END_OF_FILE_ERROR is
related to mismatching cipher suites. I've played around with
cipher-list by way of commenting out the examples in the config. None of
them helped. I've even re-linked Privoxy with OpenSSL instead of MbedTLS
and tried the examples and the default as well, which didn't help,
either.
My web search on PR_END_OF_FILE_ERROR also suggested to turn off DNS
over HTTPS. Tried that in Firefox, didn't work. Besides, curl is also
throwing an error.
These are my settings in the Privoxy config file:
```
actionsfile test.action
listen-address 127.0.0.1:8118
ca-cert-file cacert.crt
ca-key-file cakey.pem
ca-password [...]
certificate-directory /var/privoxy/certs
trusted-cas-file cacert.pem # downloaded from https://curl.se/[...]
```
To generate ca-cert-file and ca-key-file, I used this command, taken
from the comment in the config file:
openssl req -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650
cacert.crt:
```
Issuer: C = DE, ST = Some-State, O = Computer, OU = Privoxy, CN = localhost
Validity
Not Before: Sep 21 18:01:44 2022 GMT
Not After : Sep 18 18:01:44 2032 GMT
Subject: C = DE, ST = Some-State, O = Computer, OU = Privoxy, CN = localhost
```
I downloaded the trusted-cas-file from https://curl.se/ca/cacert.pem as in the
comment in the config. (But I also generated the file myself at first, which
didn't make Privoxy work.)
test.action:
```
{+https-inspection}
.example.com
```
# ls -l /etc/privoxy/test.action /etc/privoxy/cacert.* /etc/privoxy/cakey.pem
-rw-rw---- 1 privoxy privoxy /etc/privoxy/test.action
-rw-rw---- 1 privoxy privoxy /etc/privoxy/cacert.crt
-rw-rw---- 1 privoxy privoxy /etc/privoxy/cacert.pem
-rw-rw---- 1 privoxy privoxy /etc/privoxy/cakey.pem
# ls -ld /var/privoxy/
drwxr-x--- 3 privoxy privoxy /var/privoxy/
# ls -ld /var/privoxy/certs/
drwxr-x--- 2 privoxy privoxy /var/privoxy/certs/
There are some PEM files in certificate-directory, generated by Privoxy,
which are actually private keys.
I verified, that FEATURE_HTTPS_INSPECTION is set to "Yes" in
http://config.privoxy.org/show-status.
In Firefox, I set proxy settings to:
HTTP: 127.0.0.1:8118
HTTPS: "use HTTP settings"
In Firefox, I also imported the ca-cert-file in the "Authorities" tab in
the Certificate manager, and I set the trust to "This certificate can
identify websites".
There are no errors in logdir/logfile. There is one message from a
previous permissions problem of test.action, so logging works, but
nothing related to this problem.
I even restarted the privoxy service and Firefox, and still nothing.
I am now out of ideas. How could I proceed from here? Do you see
anything wrong in my settings?
Thank you in advance.
Kind regards.
More information about the Privoxy-users
mailing list