[chris@xxxxxxxxxx: Re: ssh proxy connection used to work with Firefox, now doesn't]

Chris Green <cl@xxxxxxxx> · Mon, 11 Oct 2021 11:32:15 +0100

--- Begin Message ---

To: Jochen Bern <Jochen.Bern@xxxxxxxxx>
Subject: Re: ssh proxy connection used to work with Firefox, now doesn't
From: Chris Green <chris@xxxxxxxxxx>
Date: Mon, 11 Oct 2021 10:52:04 +0100
In-reply-to: <caa41c5a-34d1-9ae8-6d69-7fdee7f9bf78@binect.de>
References: <YWPtO/P8ndf+yEim@esprimo> <caa41c5a-34d1-9ae8-6d69-7fdee7f9bf78@binect.de>

On Mon, Oct 11, 2021 at 10:41:47AM +0200, Jochen Bern wrote:
> On 11.10.21 09:52, Chris Green wrote:
> > I used to use the following ssh command to set up a socks5 proxy to
> > use with Firefox:-
> >      ssh -fC2qTnN -D 8080 chris@xxxxxxxxxxxxxxxxxxxx
> > However I now get a security error from Firefox when I try it:-
> [...]
> > Has anyone else encountered this and/or does anyone know how to fix it?
> [...]> It happens for *every* site you try to connect to through the proxy,
> > I've tried Google, some of my own sites, other search engines, etc.
> 
> I'm under the impression that one shouldn't put too much trust into the
> exact wording of Firefox' error messages, so my recommendation is to verify
> the setup, step by step, with "more basic" tools. As in,
> 
Yes, very true! :-)

I have set up the proxy with "ssh -fC2qTnN -D 1080 chris@xxxxxxx" now
and results are as below:-

> 1. "telnet 127.0.0.1 8080" to verify that you can (locally) reach the SOCKS
> port (replace "127.0.0.1" with whatever host you specified in Firefox' proxy
> setting),
> 
    chris$ telnet 127.0.0.1 1080
    Trying 127.0.0.1...
    Connected to 127.0.0.1.
    Escape character is '^]'.

So that's OK.

> 2. Use nc/ncat/netcat to make a simple! connection through the proxy (e.g.,
> to the remote 127.0.0.1 port 22, to see the SSH server's hello)
> 
nc 127.0.0.1 1080

    chris$ echo hello | nc 127.0.0.1 22
    SSH-2.0-OpenSSH_8.4p1 Ubuntu-5ubuntu1.1
    Invalid SSH identification string.
    chris$ 

... and that seems OK.

> 3. Try Firefox+proxy to make a *non*-SSL connection, ...
> 
    That produces exactly the same error even though I try to access
    http://isbd.biz, when using the proxy Firefox switches the URL to
    https://www.isbd.biz.  Without the proxy it accesses
    http://isbd.biz quite happily.

> Please try without the "-C" option, too, lest it somehow triggers an MTU
> problem or somesuch.
> 
     No different, still the same error message

> Off the top of my head, potentially relevant changes *in Firefox* (which has
> its own updating mechanism, check whether *that* one has automatic updates
> enabled, too) include "disable TLS 1.0 and 1.1 by default" and the set of
> server IPs exempt from the configured proxying (sometimes 127.0.0.1/32,
> sometimes 127.0.0.0/8, ...) - though I cannot see offhand how these would
> affect your entire testing series (against well-known external web servers)

Thanks for all the ideas.

I'm going to try a different browser now, see what happens!

-- 
Chris Green

--- End Message ---
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev