[chris@isbd.co.uk: Re: ssh proxy connection used to work with Firefox, now doesn't]
548 views
Skip to first unread message
Chris Green
Oct 11, 2021, 6:34:42 AM10/11/21
to openssh-...@mindrot.org
On Mon, Oct 11, 2021 at 10:41:47AM +0200, Jochen Bern wrote:
> On 11.10.21 09:52, Chris Green wrote:
> > I used to use the following ssh command to set up a socks5 proxy to
> > use with Firefox:-
> > ssh -fC2qTnN -D 8080 ch...@cheddar.halon.org.uk
> > However I now get a security error from Firefox when I try it:-
> [...]
> > Has anyone else encountered this and/or does anyone know how to fix it?
> [...]> It happens for *every* site you try to connect to through the proxy,
> > I've tried Google, some of my own sites, other search engines, etc.
>
> I'm under the impression that one shouldn't put too much trust into the
> exact wording of Firefox' error messages, so my recommendation is to verify
> the setup, step by step, with "more basic" tools. As in,
>
Yes, very true! :-)
I have set up the proxy with "ssh -fC2qTnN -D 1080 ch...@isbd.uk" now
and results are as below:-
> 1. "telnet 127.0.0.1 8080" to verify that you can (locally) reach the SOCKS
> port (replace "127.0.0.1" with whatever host you specified in Firefox' proxy
> setting),
>
chris$ telnet 127.0.0.1 1080
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
So that's OK.
> 2. Use nc/ncat/netcat to make a simple! connection through the proxy (e.g.,
> to the remote 127.0.0.1 port 22, to see the SSH server's hello)
>
nc 127.0.0.1 1080
chris$ echo hello | nc 127.0.0.1 22
SSH-2.0-OpenSSH_8.4p1 Ubuntu-5ubuntu1.1
Invalid SSH identification string.
chris$
... and that seems OK.
> 3. Try Firefox+proxy to make a *non*-SSL connection, ...
>
That produces exactly the same error even though I try to access
http://isbd.biz, when using the proxy Firefox switches the URL to
https://www.isbd.biz. Without the proxy it accesses
http://isbd.biz quite happily.
> Please try without the "-C" option, too, lest it somehow triggers an MTU
> problem or somesuch.
>
No different, still the same error message
> Off the top of my head, potentially relevant changes *in Firefox* (which has
> its own updating mechanism, check whether *that* one has automatic updates
> enabled, too) include "disable TLS 1.0 and 1.1 by default" and the set of
> server IPs exempt from the configured proxying (sometimes 127.0.0.1/32,
> sometimes 127.0.0.0/8, ...) - though I cannot see offhand how these would
> affect your entire testing series (against well-known external web servers)
Thanks for all the ideas.
I'm going to try a different browser now, see what happens!
--
Chris Green
> On 11.10.21 09:52, Chris Green wrote:
> > I used to use the following ssh command to set up a socks5 proxy to
> > use with Firefox:-
> > ssh -fC2qTnN -D 8080 ch...@cheddar.halon.org.uk
> > However I now get a security error from Firefox when I try it:-
> [...]
> > Has anyone else encountered this and/or does anyone know how to fix it?
> [...]> It happens for *every* site you try to connect to through the proxy,
> > I've tried Google, some of my own sites, other search engines, etc.
>
> I'm under the impression that one shouldn't put too much trust into the
> exact wording of Firefox' error messages, so my recommendation is to verify
> the setup, step by step, with "more basic" tools. As in,
>
Yes, very true! :-)
I have set up the proxy with "ssh -fC2qTnN -D 1080 ch...@isbd.uk" now
and results are as below:-
> 1. "telnet 127.0.0.1 8080" to verify that you can (locally) reach the SOCKS
> port (replace "127.0.0.1" with whatever host you specified in Firefox' proxy
> setting),
>
chris$ telnet 127.0.0.1 1080
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
So that's OK.
> 2. Use nc/ncat/netcat to make a simple! connection through the proxy (e.g.,
> to the remote 127.0.0.1 port 22, to see the SSH server's hello)
>
nc 127.0.0.1 1080
chris$ echo hello | nc 127.0.0.1 22
SSH-2.0-OpenSSH_8.4p1 Ubuntu-5ubuntu1.1
Invalid SSH identification string.
chris$
... and that seems OK.
> 3. Try Firefox+proxy to make a *non*-SSL connection, ...
>
That produces exactly the same error even though I try to access
http://isbd.biz, when using the proxy Firefox switches the URL to
https://www.isbd.biz. Without the proxy it accesses
http://isbd.biz quite happily.
> Please try without the "-C" option, too, lest it somehow triggers an MTU
> problem or somesuch.
>
No different, still the same error message
> Off the top of my head, potentially relevant changes *in Firefox* (which has
> its own updating mechanism, check whether *that* one has automatic updates
> enabled, too) include "disable TLS 1.0 and 1.1 by default" and the set of
> server IPs exempt from the configured proxying (sometimes 127.0.0.1/32,
> sometimes 127.0.0.0/8, ...) - though I cannot see offhand how these would
> affect your entire testing series (against well-known external web servers)
Thanks for all the ideas.
I'm going to try a different browser now, see what happens!
--
Chris Green
Chris Green
Oct 11, 2021, 7:45:16 AM10/11/21
to openssh-...@mindrot.org
Sorry, I got this off list by mistake, I'm putting this back on the
list as it should have been.
> On 11.10.21 11:52, Chris Green wrote:
> > On Mon, Oct 11, 2021 at 10:41:47AM +0200, Jochen Bern wrote:
> > > 2. Use nc/ncat/netcat to make a simple! connection through the
> proxy (e.g.,
> > > to the remote 127.0.0.1 port 22, to see the SSH server's hello)
> >
>
> The options syntax of nc/ncat/netcat varies *wildly* between versions,
> alas,
> that's why I didn't throw you a ready-to-use command. On *my* machine,
> that
> would be
>
> nc --proxy-type socks5 --proxy 127.0.0.1:1080 127.0.0.1 22
>
> - other versions I've seen want "-x" and "-X", etc. ...
>
Ah, oops, so now I've had a look at the nc man page here and tried:-
chris$ nc -X 5 -x 127.0.0.1:1080 127.0.0.1 22
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
That's what you were looking for I guess and says the proxy is
working, so it's just Firefox doesn't like it.
> must've passed your browser a HTTP REDIRECT reply telling it to try connecting
> with HTTP*S* instead. Or do you have some plugin like SSLAnywhere etc. installed ... ?
I think it's just Firefox has got security paranoia and will try and
switch to HTTPS if it possibly can.
However I've now tried another non-HTTPS site and that *does* work, so
the proxy appears to be working, it's just that it doesn't work for
HTTPS sites.
It does seem as if it is just Firefox that is the problem, so sorry
for the noise here on ssh, I'll have to dig elsewhere.
--
Chris Green
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
list as it should have been.
> On 11.10.21 11:52, Chris Green wrote:
> > On Mon, Oct 11, 2021 at 10:41:47AM +0200, Jochen Bern wrote:
> > > 2. Use nc/ncat/netcat to make a simple! connection through the
> proxy (e.g.,
> > > to the remote 127.0.0.1 port 22, to see the SSH server's hello)
> >
> > chris$ echo hello | nc 127.0.0.1 22
>
>
> The keywords being "*through* the proxy". :-3
>
>
>
> The options syntax of nc/ncat/netcat varies *wildly* between versions,
> alas,
> that's why I didn't throw you a ready-to-use command. On *my* machine,
> that
> would be
>
> nc --proxy-type socks5 --proxy 127.0.0.1:1080 127.0.0.1 22
>
> - other versions I've seen want "-x" and "-X", etc. ...
>
Ah, oops, so now I've had a look at the nc man page here and tried:-
chris$ nc -X 5 -x 127.0.0.1:1080 127.0.0.1 22
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
That's what you were looking for I guess and says the proxy is
working, so it's just Firefox doesn't like it.
>
>
> > > 3. Try Firefox+proxy to make a *non*-SSL connection, ...
> > >
> > That produces exactly the same error even though I try to access
> > http://isbd.biz, when using the proxy Firefox switches the URL to
> > https://www.isbd.biz
>
> In that case, it seems that the HTTP connection *worked*, because *someone*
>
> > > 3. Try Firefox+proxy to make a *non*-SSL connection, ...
> > >
> > That produces exactly the same error even though I try to access
> > http://isbd.biz, when using the proxy Firefox switches the URL to
> > https://www.isbd.biz
>
> must've passed your browser a HTTP REDIRECT reply telling it to try connecting
> with HTTP*S* instead. Or do you have some plugin like SSLAnywhere etc. installed ... ?
I think it's just Firefox has got security paranoia and will try and
switch to HTTPS if it possibly can.
However I've now tried another non-HTTPS site and that *does* work, so
the proxy appears to be working, it's just that it doesn't work for
HTTPS sites.
It does seem as if it is just Firefox that is the problem, so sorry
for the noise here on ssh, I'll have to dig elsewhere.
--
Chris Green
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Reply all
Reply to author
Forward
0 new messages