openssh unix dev - Oct 2021 - ssh proxy connection used to work with Firefox, now doesn't

I used to use the following ssh command to set up a socks5 proxy to
use with Firefox:-

    ssh -fC2qTnN -D 8080 chris at cheddar.halon.org.uk

However I now get a security error from Firefox when I try it:-

    Secure Connection Failed

    The connection to the server was reset while the page was loading.

    The page you are trying to view cannot be shown because the
    authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this
    problem.


Has anyone else encountered this and/or does anyone know how to fix it?

I'm pretty certain it's nothing to do with certificates etc. at
cheddar.halon.org.uk.  I have tried the same using another site as the
proxy where I know (as I update them regularly) the SSL certificates
are up to date and exactly the same error results.

It happens for *every* site you try to connect to through the proxy,
I've tried Google, some of my own sites, other search engines, etc.

-- 
Chris Green

On Mon, 11 Oct 2021 at 18:54, Chris Green <cl at isbd.net>
wrote:
>
> I used to use the following ssh command to set up a socks5 proxy to
> use with Firefox:-
>
>     ssh -fC2qTnN -D 8080 chris at cheddar.halon.org.uk
8080 is more often used for http proxies whereas 1080 is the
registered port for SOCKS.  Which are you using?
> I'm pretty certain it's nothing to do with certificates etc. at
> cheddar.halon.org.uk.
It's serving up at least some expired certificates:

$ openssl s_client -debug -connect cheddar.halon.org.uk:443
CONNECTED(00000003)
[...]
depth=0 CN = *.halon.org.uk
verify error:num=10:certificate has expired
notAfter=Dec  8 16:21:36 2016 GMT
verify return:1
depth=0 CN = *.halon.org.uk
notAfter=Dec  8 16:21:36 2016 GMT
verify return:1

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On 11.10.21 09:52, Chris Green wrote:
> I used to use the following ssh command to set up a socks5 proxy to
> use with Firefox:-
>      ssh -fC2qTnN -D 8080 chris at cheddar.halon.org.uk
> However I now get a security error from Firefox when I try it:-
[...]
> Has anyone else encountered this and/or does anyone know how to fix it?
[...]> It happens for *every* site you try to connect to through the
proxy,
> I've tried Google, some of my own sites, other search engines, etc.
I'm under the impression that one shouldn't put too much trust into the 
exact wording of Firefox' error messages, so my recommendation is to 
verify the setup, step by step, with "more basic" tools. As in,

1. "telnet 127.0.0.1 8080" to verify that you can (locally) reach the 
SOCKS port (replace "127.0.0.1" with whatever host you specified in 
Firefox' proxy setting),

2. Use nc/ncat/netcat to make a simple! connection through the proxy 
(e.g., to the remote 127.0.0.1 port 22, to see the SSH server's hello)

3. Try Firefox+proxy to make a *non*-SSL connection, ...

Please try without the "-C" option, too, lest it somehow triggers an
MTU
problem or somesuch.

Off the top of my head, potentially relevant changes *in Firefox* (which 
has its own updating mechanism, check whether *that* one has automatic 
updates enabled, too) include "disable TLS 1.0 and 1.1 by default" and
the set of server IPs exempt from the configured proxying (sometimes 
127.0.0.1/32, sometimes 127.0.0.0/8, ...) - though I cannot see offhand 
how these would affect your entire testing series (against well-known 
external web servers) ...

Regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20211011/23972106/attachment-0001.p7s>