[Privoxy-users] [privoxy-3.0.33] Can't get https-inspection to work (PR_END_OF_FILE_ERROR)

Fri Sep 23 09:39:17 CEST 2022

I just noticed I can increase the debug level... I'll do that and see
again.

On Thu, Sep 22, 2022 at 02:30:49PM +0000, avoidr wrote:
> Hello everyone,
> 
> I'm having trouble setting up https-inspection and I don't know how to
> further troubleshoot.
> 
> Currently I am getting an error in Firefox that says:
> ```
> Secure Connection Failed
> 
> An error occurred during a connection to example.com. PR_END_OF_FILE_ERROR
> 
> - The page you are trying to view cannot be shown because the
>   authenticity of the received data could not be verified.
> ```
> 
> curl output:
> ```
> $ http_proxy=127.0.0.1:8118 https_proxy=127.0.0.1:8118 curl -I https://example.com/
> HTTP/1.1 200 Connection established
> 
> curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
> ```
> 
> I've searched the web, and it suggested that PR_END_OF_FILE_ERROR is
> related to mismatching cipher suites. I've played around with
> cipher-list by way of commenting out the examples in the config. None of
> them helped. I've even re-linked Privoxy with OpenSSL instead of MbedTLS
> and tried the examples and the default as well, which didn't help,
> either.
> 
> My web search on PR_END_OF_FILE_ERROR also suggested to turn off DNS
> over HTTPS. Tried that in Firefox, didn't work. Besides, curl is also
> throwing an error.
> 
> These are my settings in the Privoxy config file:
> ```
> actionsfile test.action
> listen-address  127.0.0.1:8118
> ca-cert-file cacert.crt
> ca-key-file cakey.pem
> ca-password [...]
> certificate-directory /var/privoxy/certs
> trusted-cas-file cacert.pem  # downloaded from https://curl.se/[...]
> ```
> 
> To generate ca-cert-file and ca-key-file, I used this command, taken
> from the comment in the config file:
> openssl req -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650
> 
> cacert.crt:
> ```
> Issuer: C = DE, ST = Some-State, O = Computer, OU = Privoxy, CN = localhost
> Validity
> 	Not Before: Sep 21 18:01:44 2022 GMT
> 	Not After : Sep 18 18:01:44 2032 GMT
> Subject: C = DE, ST = Some-State, O = Computer, OU = Privoxy, CN = localhost
> ```
> 
> I downloaded the trusted-cas-file from https://curl.se/ca/cacert.pem as in the
> comment in the config. (But I also generated the file myself at first, which
> didn't make Privoxy work.)
> 
> test.action:
> ```
> {+https-inspection}
> .example.com
> ```
> 
> # ls -l /etc/privoxy/test.action /etc/privoxy/cacert.* /etc/privoxy/cakey.pem
> -rw-rw---- 1 privoxy privoxy /etc/privoxy/test.action
> -rw-rw---- 1 privoxy privoxy /etc/privoxy/cacert.crt
> -rw-rw---- 1 privoxy privoxy /etc/privoxy/cacert.pem
> -rw-rw---- 1 privoxy privoxy /etc/privoxy/cakey.pem
> 
> # ls -ld /var/privoxy/
> drwxr-x--- 3 privoxy privoxy /var/privoxy/
> # ls -ld /var/privoxy/certs/
> drwxr-x--- 2 privoxy privoxy /var/privoxy/certs/
> 
> There are some PEM files in certificate-directory, generated by Privoxy,
> which are actually private keys.
> 
> I verified, that FEATURE_HTTPS_INSPECTION is set to "Yes" in
> http://config.privoxy.org/show-status.
> 
> In Firefox, I set proxy settings to:
> HTTP:  127.0.0.1:8118
> HTTPS: "use HTTP settings"
> 
> In Firefox, I also imported the ca-cert-file in the "Authorities" tab in
> the Certificate manager, and I set the trust to "This certificate can
> identify websites".
> 
> There are no errors in logdir/logfile. There is one message from a
> previous permissions problem of test.action, so logging works, but
> nothing related to this problem.
> 
> I even restarted the privoxy service and Firefox, and still nothing.
> 
> 
> I am now out of ideas. How could I proceed from here? Do you see
> anything wrong in my settings?
> 
> Thank you in advance.
> 
> Kind regards.