I have a RHEL5 server in a private zone. I've set up a transparent proxy for ports 80 and 443. When I try a wget on 443, I get the following:
# wget -O- https://www.google.com
--2013-02-14 15:16:50-- https://www.google.com/
Resolving www.google.com... 74.125.129.147, 74.125.129.104, 74.125.129.106, ...
Connecting to www.google.com|74.125.129.147|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
I assume the proxy works because it's connecting. I don't know what else could be causing this.
This OpenSSL error indicates that wget sent the initial SSL ClientHello message, but gets an unexpected response from the server (or proxy) which was not an SSL ServerHello message.
This can be because the proxy speaks plain HTTP with the client, instead of HTTPS, because of a configuration error (e.g. with squid if port 443 is redirected to a http_port instead of https_port with the transparent option), or because it does not support transparent proxying of SSL at all. To debug, you may try connecting to http://www.google.com:443/ to see what happens. To know what's going on, you might want to run tcpdump while connecting to see what the server responds with. Also check the error log of your transparent proxy.
Without the transparent proxy configuration it is hard to tell what the problem is.
Related
I have an existing ssl certificate through LetsEncrypt for my domain. On the same server as my site I have an express app running at port :8080. Before adding the SSL to the domain I was able to make requests to http://domainname:8080.com. Now that the domain making the requests is https it obviously can't make those requests. If I instead make requests to https://domainname:8080.com, I get no response and instead get a timeout error.
I have attempted to curl -X -POST on the server manually and it returns (35) gnutls_handshake() failed: The TLS connection was non-properly terminated. If I however run the same command pointing to the non https domain it executes correctly. I also tried installing the https modules for express and pointing it to the same certs I'm using for the domain. For all my effort I cannot get this to work. What am I missing here? I want to make requests to a port on the same server that is serving my app.
Setup a reverse proxy in my nginx site config from the domain to the ip address the express server was running on. This solved all the issues I was having.
I want to do https_proxy via squid.
what i say "https_proxy" is not visiting https websites through http proxy, I mean between proxy server and I , the line must use https(even visiting http website)
And I dont care what protocal/scheme it is between real website and proxy server
I know that I have to download source and ./configure --enable-ssl complie
After that ,I found when I run squid3 with https_port 443 cert=/usr/local/etc/certs/squid.cert key=/xxx in squid.config , there is no error (if thereis no --enable-ssl ,adding the https_port into the config file will result in error msg) , which I guess I have done the right step
How ever , the port I specified was not in netstat -anp , I guess there is something else to do.
So what is the problem?
Can I configure the Tor Browser Bundle so that it becomes an extra hop after the Tor exit node without using special OS such as Whonix?
The Tor Browser Bundle just comes pre-configured to use Tor as a socks proxy so as far as I know, you cannot add an extra HTTP proxy after Tor.
Another alternative to using a special OS would be to use proxychains to chain requests through Tor and then an HTTP proxy. You wouldn't necessarily want or need to use the Tor Browser Bundle for this.
I have Tor running locally on port 9050 so I added these lines to my proxychains.conf file under the [ProxyList] section:
[ProxyList]
# tor
socks5 127.0.0.1 9050
# then chain through http proxy
http 2.3.4.5 80
Then to launch your browser which will proxy through Tor and then the HTTP proxy, run proxychains /usr/bin/firefox
It will cause all connections from the browser to first go through Tor, then through the HTTP proxy.
You should see output similar to this on the command line to know its working:
|S-chain|-<>-127.0.0.1:9050-<>-2.3.4.5:80-<><>-74.125.239.39:443-<><>-OK
127.0.0.1:9050 shows it chained through Tor, then 2.3.4.5:80 is the HTTP proxy, and finally out to the destination 74.125.239.39:4443 (Google).
A note on security, I used firefox browser for the example. You could use Tor browser instead but you will want to make sure its proxy configuration is set not to use a proxy since you're already chaining through Tor via proxychains.
Tor Browser will be a little safer since it won't keep history/cache and its signature much less unique.
Hope that helps.
I am trying to download a serious of scripts ... unfortunately it doesn't work.
shell:
$ wget --secure-protocol=TLSv1 --user=username --password=password --no-check-certificate https://www.example.com/bla/foo/bar/secure/1.pdf
respond:
--2014-10-06 12:49:26-- https://www.example.com/bla/foo/bar/secure/1.pdf
Resolving www.example.com (www.example.com)... xxx.xxx.xx.xx
Connecting to www.example.com (www.example.com)| xxx.xxx.xx.xx|:443... connected.
OpenSSL: error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error
Unable to establish SSL connection.
There can be lots of reasons why this fails with this error, among them:
server is unable to cope with newer TLS versions
server requires client authentication
server has a misbehaving SSL load balancer in front
there is a firewall between you and the server rejecting your traffic after initial inspection
That's all which can be said from the information you provide.
You might check the server against sslabs to get more information or provide more details in your question, like the real URL.
Edit: The requested server is www2.cs.fau.de. This server supports only SSLv3 and croaks on TLSv1 (instead of just responding with SSLv3), so you need to enforce SSLv3 with wget:
wget --secure-protocol=SSLv3 ...
The certificate of the server can be verified against the usual trusted CA on Linux, so you probably don't need the --no-check-certificate option.
Most browsers can access this site because they automatically downgrade to older SSL versions if connects with more modern versions does not succeed, but tools like curl or wget do not retry with downgraded versions.
I am making a request to a remote server using https and request, and getting a new error after updating node and request:
nes.get err: [Error: 140735207432576:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:../deps/openssl/openssl/ssl/s23_clnt.c:741:
I already have the protocol set to SSLv3, so I'm wondering why it appears to be using tlsv1.
https.globalAgent.options.secureProtocol = 'SSLv3_method';
I've also tried adding this to request's options:
secureProtocol: 'SSLv3_method'
This error did not occur with earlier versions of Node.js and request, but now with node v0.10.15 and request 2.26.0, it has surfaced. Any ideas? Thanks!
Update -- narrowed this down to something that changes between request 2.14.0 and 2.16.0. 2.14.0 works and 2.16.0 does not work.
Make sure you are making a secure request to the correct port.
I've received this error when attempting to make a secure request to port 80 instead of port 443.
I would fire up Wireshark to verify that the bits on the wire are what you think they should be.