Mailing List Archive

ssh proxy connection used to work with Firefox, now doesn't
I used to use the following ssh command to set up a socks5 proxy to
use with Firefox:-

ssh -fC2qTnN -D 8080 chris@cheddar.halon.org.uk

However I now get a security error from Firefox when I try it:-

Secure Connection Failed

The connection to the server was reset while the page was loading.

The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this
problem.


Has anyone else encountered this and/or does anyone know how to fix it?

I'm pretty certain it's nothing to do with certificates etc. at
cheddar.halon.org.uk. I have tried the same using another site as the
proxy where I know (as I update them regularly) the SSL certificates
are up to date and exactly the same error results.

It happens for *every* site you try to connect to through the proxy,
I've tried Google, some of my own sites, other search engines, etc.

--
Chris Green
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh proxy connection used to work with Firefox, now doesn't [ In reply to ]
On Mon, 11 Oct 2021 at 18:54, Chris Green <cl@isbd.net> wrote:
>
> I used to use the following ssh command to set up a socks5 proxy to
> use with Firefox:-
>
> ssh -fC2qTnN -D 8080 chris@cheddar.halon.org.uk

8080 is more often used for http proxies whereas 1080 is the
registered port for SOCKS. Which are you using?

> I'm pretty certain it's nothing to do with certificates etc. at
> cheddar.halon.org.uk.

It's serving up at least some expired certificates:

$ openssl s_client -debug -connect cheddar.halon.org.uk:443
CONNECTED(00000003)
[...]
depth=0 CN = *.halon.org.uk
verify error:num=10:certificate has expired
notAfter=Dec 8 16:21:36 2016 GMT
verify return:1
depth=0 CN = *.halon.org.uk
notAfter=Dec 8 16:21:36 2016 GMT
verify return:1

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh proxy connection used to work with Firefox, now doesn't [ In reply to ]
On Mon, Oct 11, 2021 at 07:13:37PM +1100, Darren Tucker wrote:
> On Mon, 11 Oct 2021 at 18:54, Chris Green <cl@isbd.net> wrote:
> >
> > I used to use the following ssh command to set up a socks5 proxy to
> > use with Firefox:-
> >
> > ssh -fC2qTnN -D 8080 chris@cheddar.halon.org.uk
>
> 8080 is more often used for http proxies whereas 1080 is the
> registered port for SOCKS. Which are you using?
>
Well the command above is exactly what I have in my script for doing
this, so I was using 8080. Firefox allows you to specify what port to
use so I just set 8080 there too. I can certainly try 1080 instead.


> > I'm pretty certain it's nothing to do with certificates etc. at
> > cheddar.halon.org.uk.
>
> It's serving up at least some expired certificates:
>
> $ openssl s_client -debug -connect cheddar.halon.org.uk:443
> CONNECTED(00000003)
> [...]
> depth=0 CN = *.halon.org.uk
> verify error:num=10:certificate has expired
> notAfter=Dec 8 16:21:36 2016 GMT
> verify return:1
> depth=0 CN = *.halon.org.uk
> notAfter=Dec 8 16:21:36 2016 GMT
> verify return:1
>
I just have a user login at cheddar.halon.org.uk, it's not my site.
However I have also tried isbd.uk which is my own virtual server and
the certificates there are up to date. It produces exactly the same
error when I try to use it as a proxy.

I don't believe this is a certificate problem, I think it's something
that has changed in Firefox that needs something different/more to
allow it to work.

--
Chris Green
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh proxy connection used to work with Firefox, now doesn't [ In reply to ]
On 11.10.21 09:52, Chris Green wrote:
> I used to use the following ssh command to set up a socks5 proxy to
> use with Firefox:-
> ssh -fC2qTnN -D 8080 chris@cheddar.halon.org.uk
> However I now get a security error from Firefox when I try it:-
[...]
> Has anyone else encountered this and/or does anyone know how to fix it?
[...]> It happens for *every* site you try to connect to through the proxy,
> I've tried Google, some of my own sites, other search engines, etc.

I'm under the impression that one shouldn't put too much trust into the
exact wording of Firefox' error messages, so my recommendation is to
verify the setup, step by step, with "more basic" tools. As in,

1. "telnet 127.0.0.1 8080" to verify that you can (locally) reach the
SOCKS port (replace "127.0.0.1" with whatever host you specified in
Firefox' proxy setting),

2. Use nc/ncat/netcat to make a simple! connection through the proxy
(e.g., to the remote 127.0.0.1 port 22, to see the SSH server's hello)

3. Try Firefox+proxy to make a *non*-SSL connection, ...

Please try without the "-C" option, too, lest it somehow triggers an MTU
problem or somesuch.

Off the top of my head, potentially relevant changes *in Firefox* (which
has its own updating mechanism, check whether *that* one has automatic
updates enabled, too) include "disable TLS 1.0 and 1.1 by default" and
the set of server IPs exempt from the configured proxying (sometimes
127.0.0.1/32, sometimes 127.0.0.0/8, ...) - though I cannot see offhand
how these would affect your entire testing series (against well-known
external web servers) ...

Regards,
--
Jochen Bern
Systemingenieur

Binect GmbH
Re: ssh proxy connection used to work with Firefox, now doesn't [ In reply to ]
OK, I have used the following command:-

ssh -fC2qTnN -D 1080 chris@isbd.uk

... and it results in exactly the same error as I originally reported.
So I don't think the port number matters and the certificates at
isbd.uk are up to date.

As I said I'm pretty certain it's something more that Firefox is now
demanding, but I don't know what.

Thanks for your reply, just bouncing ideas back and forth can often
sort this sort of thing out.

--
Chris Green
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh proxy connection used to work with Firefox, now doesn't [ In reply to ]
On 11/10/2021 09:46, Chris Green wrote:
> ... and it results in exactly the same error as I originally reported.
> So I don't think the port number matters and the certificates at
> isbd.uk are up to date.

There's a problem for some clients though:

$ curl https://isbd.uk
curl: (60) SSL certificate problem: certificate has expired

$ openssl s_client -connect isbd.uk:443 -servername isbd.uk -showcerts
...
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0

This is on macOS 10.14.6.  It's possible that your Firefox is affected
by the expiry of the DST X3 cert, like curl and openssl on this old mac are.

For the full details of what's happened see:

https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/

The slightly shorter version is: LetsEncrypt returns a certificate chain
like this:

<your server signed by LetsEncrypt R3>
|
<LetsEncrypt R3 signed by ISRG X1>
|
<ISRG X1 signed by DST X3>

These days, your browser's trust store should contain the ISRG X1 root,
and it should use that as the trust anchor, and it should ignore the
final cert.

ISRG X1 was signed by DST X3 for the benefit of the early days, before
the ISRG X1 root was widely trusted.

However, recently the actual DST X3 root certificate expired. (That's
what expired on Sep 30 14:01:15 2021 GMT; googling for that date is
helpful).

*Some* clients are now borked, even if they trust ISRG X1.  They see
that the chain of trust ends in an expired certificate, without
realising that the chain of trust should terminate early on ISRG X1.

Why do LetsEncrypt include the DST X3 cert in the chain?  Because it
helps some very old Android devices which (a) still don't have the ISRG
X1 in their trust store, and (b) have a bug which allows them to trust a
root certificate in their store even after it has expired.

Try removing the DST X3 from the chain on those servers, and see if the
problem goes away.

If you are using dehydrated to issue certs, then add
PREFERRED_CHAIN="ISRG Root X1"
in the config file. <https://github.com/dehydrated-io/dehydrated/issues/808>

Regards,

Brian.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh proxy connection used to work with Firefox, now doesn't [ In reply to ]
On Mon, Oct 11, 2021 at 10:05:34AM +0100, Brian Candler wrote:
> On 11/10/2021 09:46, Chris Green wrote:
> > ... and it results in exactly the same error as I originally reported.
> > So I don't think the port number matters and the certificates at
> > isbd.uk are up to date.
>
> There's a problem for some clients though:
>
> $ curl https://isbd.uk
> curl: (60) SSL certificate problem: certificate has expired
>
> $ openssl s_client -connect isbd.uk:443 -servername isbd.uk -showcerts
> ...
> depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify error:num=10:certificate has expired
> notAfter=Sep 30 14:01:15 2021 GMT
> verify return:0
> depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify error:num=10:certificate has expired
> notAfter=Sep 30 14:01:15 2021 GMT
> verify return:0
> depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify error:num=10:certificate has expired
> notAfter=Sep 30 14:01:15 2021 GMT
> verify return:0
>
> This is on macOS 10.14.6.? It's possible that your Firefox is affected by
> the expiry of the DST X3 cert, like curl and openssl on this old mac are.
>
> For the full details of what's happened see:
>
> https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
> https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/
>
> The slightly shorter version is: LetsEncrypt returns a certificate chain
> like this:
>
> <your server signed by LetsEncrypt R3>
> |
> <LetsEncrypt R3 signed by ISRG X1>
> |
> <ISRG X1 signed by DST X3>
>
> These days, your browser's trust store should contain the ISRG X1 root, and
> it should use that as the trust anchor, and it should ignore the final cert.
>
> ISRG X1 was signed by DST X3 for the benefit of the early days, before the
> ISRG X1 root was widely trusted.
>
> However, recently the actual DST X3 root certificate expired. (That's what
> expired on Sep 30 14:01:15 2021 GMT; googling for that date is helpful).
>
> *Some* clients are now borked, even if they trust ISRG X1.? They see that
> the chain of trust ends in an expired certificate, without realising that
> the chain of trust should terminate early on ISRG X1.
>
> Why do LetsEncrypt include the DST X3 cert in the chain?? Because it helps
> some very old Android devices which (a) still don't have the ISRG X1 in
> their trust store, and (b) have a bug which allows them to trust a root
> certificate in their store even after it has expired.
>
> Try removing the DST X3 from the chain on those servers, and see if the
> problem goes away.
>
> If you are using dehydrated to issue certs, then add
> PREFERRED_CHAIN="ISRG Root X1"
> in the config file. <https://github.com/dehydrated-io/dehydrated/issues/808>
>
Wow! Thanks for that long explanation.

However I'm still a bit stuck.

If I simply visit the isbd.uk web site directly using Firefox then
everything works as it should (and it is an HTTPS site so the
certificates are being used/seen by Firefox).

It's only when I try and use isbd.uk as a proxy to other (definitely
OK sites, e.g. duckduckgo.com, google.co.uk, etc.) that I get the error.

So is using isbd.uk as a proxy somehow using different certificates
and getting the old hierarchy to the now discontinued root certificate.

... and it seems odd that I'm getting exactly the same problem when
using a different proxy server.

I can possibly try some other sites as proxy servers but I'm
unconvinced that it's going to help.

I'm also rather unfamiliar with all this SSL certificate stuff so
dehydrated means nothing to me. I use certbot on isbd.uk to update
certificates, rather mindlessly I'm afraid.

--
Chris Green
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh proxy connection used to work with Firefox, now doesn't [ In reply to ]
On 11/10/2021 10:23, Chris Green wrote:
> If I simply visit the isbd.uk web site directly using Firefox then
> everything works as it should (and it is an HTTPS site so the
> certificates are being used/seen by Firefox).
>
> It's only when I try and use isbd.uk as a proxy to other (definitely
> OK sites, e.g. duckduckgo.com, google.co.uk, etc.) that I get the error.

Ah in that case, what I described was not the problem, sorry. Somehow
Firefox doesn't like using the proxy on 1080.

Using tcpdump on localhost might show you how far it gets into the
connection attempt.

Determining whether this is a Firefox issue or not might involve using
some other SOCKS client to test.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh proxy connection used to work with Firefox, now doesn't [ In reply to ]
On Mon, 11 Oct 2021 at 19:41, Chris Green <cl@isbd.net> wrote:
> On Mon, Oct 11, 2021 at 07:13:37PM +1100, Darren Tucker wrote:
> > On Mon, 11 Oct 2021 at 18:54, Chris Green <cl@isbd.net> wrote:
> > > I used to use the following ssh command to set up a socks5 proxy to
> > > use with Firefox:-
> > >
> > > ssh -fC2qTnN -D 8080 chris@cheddar.halon.org.uk
> >
> > 8080 is more often used for http proxies whereas 1080 is the
> > registered port for SOCKS. Which are you using?
> >
> Well the command above is exactly what I have in my script for doing
> this, so I was using 8080. Firefox allows you to specify what port to
> use so I just set 8080 there too. I can certainly try 1080 instead.

I meant which *proxy protocol* are you using? Firefox supports two:
HTTP (commonly port 3128 or 8080, with GET and CONNECT variants for
HTTP and HTTPS respectively) and SOCKS (commonly port 1080). ssh -D
offers only SOCKS.

Firefox has multiple places to configure proxies: several for HTTP
proxies (http, https, and ftp) plus one for SOCKS. If you point a
HTTP-style proxy setting at a SOCKS proxy server like ssh -D then it's
not going to work. You should only have the SOCKS proxy setting
populated.



--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh proxy connection used to work with Firefox, now doesn't [ In reply to ]
On Tue, Oct 12, 2021 at 12:52:45PM +1100, Darren Tucker wrote:
> On Mon, 11 Oct 2021 at 19:41, Chris Green <cl@isbd.net> wrote:
> > On Mon, Oct 11, 2021 at 07:13:37PM +1100, Darren Tucker wrote:
> > > On Mon, 11 Oct 2021 at 18:54, Chris Green <cl@isbd.net> wrote:
> > > > I used to use the following ssh command to set up a socks5 proxy to
> > > > use with Firefox:-
> > > >
> > > > ssh -fC2qTnN -D 8080 chris@cheddar.halon.org.uk
> > >
> > > 8080 is more often used for http proxies whereas 1080 is the
> > > registered port for SOCKS. Which are you using?
> > >
> > Well the command above is exactly what I have in my script for doing
> > this, so I was using 8080. Firefox allows you to specify what port to
> > use so I just set 8080 there too. I can certainly try 1080 instead.
>
> I meant which *proxy protocol* are you using? Firefox supports two:
> HTTP (commonly port 3128 or 8080, with GET and CONNECT variants for
> HTTP and HTTPS respectively) and SOCKS (commonly port 1080). ssh -D
> offers only SOCKS.
>
> Firefox has multiple places to configure proxies: several for HTTP
> proxies (http, https, and ftp) plus one for SOCKS. If you point a
> HTTP-style proxy setting at a SOCKS proxy server like ssh -D then it's
> not going to work. You should only have the SOCKS proxy setting
> populated.
>
Which is *exactly* what my problem was, I had all three (HTTP, HTTPS
and SOCKS) configured. I'm sure I had it set up this way previously
and it worked but maybe I'm remembering wrong. Anyway it now works
exactly as it should! :-)

--
Chris Green
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev