[Privoxy-users] [privoxy-3.0.33] Can't get https-inspection to work (PR_END_OF_FILE_ERROR)

avoidr avoidr at posteo.de
Sat Sep 24 16:54:24 CEST 2022 

On Fri, Sep 23, 2022 at 07:39:17AM +0000, avoidr wrote:
> I just noticed I can increase the debug level... I'll do that and see
> again.

Ok, I was able to resolve my issue.

I set debug to 8192 ("Non-fatal errors") and that gave me the clue, that
my ca-cert-file is misplaced:
```
2022-09-24 15:09:51.478 7f7078acd640 Error: Error opening certificate file ./CA/cacert.crt: No such file or directory
2022-09-24 15:09:51.478 7f7078acd640 Error: Loading issuer certificate ./CA/cacert.crt failed
2022-09-24 15:09:51.478 7f7078acd640 Error: generate_host_certificate failed: -1
```

After placing ca-cert-file, ca-key-file, and trusted-cas-file into
ca-directory, https-inspection started working correctly.

The issue with my configuration stemmed from my false assumption about
ca-directory's default setting; the documentation says the default value
is an empty string. However "./CA/" is not an empty string.

Later I also found that ./CA/ is not relative to confdir (which I had
assumed), but relative to the process' CWD (?).

In other words, I had assumed that ca-directory is relative to confdir,
and that if ca-directory is unset, the default effective value would be
that of confdir, but it was /CA/ instead.

>From my point of view, ca-directory should be relative to confdir,
unless an absolute path is given.
Then, the default value of ca-directory being "./CA/" seems sensible.

Kind regards.

> 
> On Thu, Sep 22, 2022 at 02:30:49PM +0000, avoidr wrote:
> > Hello everyone,
> > 
> > I'm having trouble setting up https-inspection and I don't know how to
> > further troubleshoot.
> > 
> > Currently I am getting an error in Firefox that says:
> > ```
> > Secure Connection Failed
> > 
> > An error occurred during a connection to example.com. PR_END_OF_FILE_ERROR
> > 
> > - The page you are trying to view cannot be shown because the
> >   authenticity of the received data could not be verified.
> > ```
> > 
> > curl output:
> > ```
> > $ http_proxy=127.0.0.1:8118 https_proxy=127.0.0.1:8118 curl -I https://example.com/
> > HTTP/1.1 200 Connection established
> > 
> > curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
> > ```
> > 
> > I've searched the web, and it suggested that PR_END_OF_FILE_ERROR is
> > related to mismatching cipher suites. I've played around with
> > cipher-list by way of commenting out the examples in the config. None of
> > them helped. I've even re-linked Privoxy with OpenSSL instead of MbedTLS
> > and tried the examples and the default as well, which didn't help,
> > either.
> > 
> > My web search on PR_END_OF_FILE_ERROR also suggested to turn off DNS
> > over HTTPS. Tried that in Firefox, didn't work. Besides, curl is also
> > throwing an error.
> > 
> > These are my settings in the Privoxy config file:
> > ```
> > actionsfile test.action
> > listen-address  127.0.0.1:8118
> > ca-cert-file cacert.crt
> > ca-key-file cakey.pem
> > ca-password [...]
> > certificate-directory /var/privoxy/certs
> > trusted-cas-file cacert.pem  # downloaded from https://curl.se/[...]
> > ```
> > 
> > To generate ca-cert-file and ca-key-file, I used this command, taken
> > from the comment in the config file:
> > openssl req -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650
> > 
> > cacert.crt:
> > ```
> > Issuer: C = DE, ST = Some-State, O = Computer, OU = Privoxy, CN = localhost
> > Validity
> > 	Not Before: Sep 21 18:01:44 2022 GMT
> > 	Not After : Sep 18 18:01:44 2032 GMT
> > Subject: C = DE, ST = Some-State, O = Computer, OU = Privoxy, CN = localhost
> > ```
> > 
> > I downloaded the trusted-cas-file from https://curl.se/ca/cacert.pem as in the
> > comment in the config. (But I also generated the file myself at first, which
> > didn't make Privoxy work.)
> > 
> > test.action:
> > ```
> > {+https-inspection}
> > .example.com
> > ```
> > 
> > # ls -l /etc/privoxy/test.action /etc/privoxy/cacert.* /etc/privoxy/cakey.pem
> > -rw-rw---- 1 privoxy privoxy /etc/privoxy/test.action
> > -rw-rw---- 1 privoxy privoxy /etc/privoxy/cacert.crt
> > -rw-rw---- 1 privoxy privoxy /etc/privoxy/cacert.pem
> > -rw-rw---- 1 privoxy privoxy /etc/privoxy/cakey.pem
> > 
> > # ls -ld /var/privoxy/
> > drwxr-x--- 3 privoxy privoxy /var/privoxy/
> > # ls -ld /var/privoxy/certs/
> > drwxr-x--- 2 privoxy privoxy /var/privoxy/certs/
> > 
> > There are some PEM files in certificate-directory, generated by Privoxy,
> > which are actually private keys.
> > 
> > I verified, that FEATURE_HTTPS_INSPECTION is set to "Yes" in
> > http://config.privoxy.org/show-status.
> > 
> > In Firefox, I set proxy settings to:
> > HTTP:  127.0.0.1:8118
> > HTTPS: "use HTTP settings"
> > 
> > In Firefox, I also imported the ca-cert-file in the "Authorities" tab in
> > the Certificate manager, and I set the trust to "This certificate can
> > identify websites".
> > 
> > There are no errors in logdir/logfile. There is one message from a
> > previous permissions problem of test.action, so logging works, but
> > nothing related to this problem.
> > 
> > I even restarted the privoxy service and Firefox, and still nothing.
> > 
> > 
> > I am now out of ideas. How could I proceed from here? Do you see
> > anything wrong in my settings?
> > 
> > Thank you in advance.
> > 
> > Kind regards.

More information about the Privoxy-users mailing list