openssh unix dev - Oct 2021 - ssh proxy connection used to work with Firefox, now doesn't

On Mon, Oct 11, 2021 at 07:13:37PM +1100, Darren Tucker
wrote:
> On Mon, 11 Oct 2021 at 18:54, Chris Green <cl at isbd.net> wrote:
> >
> > I used to use the following ssh command to set up a socks5 proxy to
> > use with Firefox:-
> >
> >     ssh -fC2qTnN -D 8080 chris at cheddar.halon.org.uk
> 
> 8080 is more often used for http proxies whereas 1080 is the
> registered port for SOCKS.  Which are you using?
> 
Well the command above is exactly what I have in my script for doing
this, so I was using 8080.  Firefox allows you to specify what port to
use so I just set 8080 there too.  I can certainly try 1080 instead.

> > I'm pretty certain it's nothing to do with certificates etc.
at
> > cheddar.halon.org.uk.
> 
> It's serving up at least some expired certificates:
> 
> $ openssl s_client -debug -connect cheddar.halon.org.uk:443
> CONNECTED(00000003)
> [...]
> depth=0 CN = *.halon.org.uk
> verify error:num=10:certificate has expired
> notAfter=Dec  8 16:21:36 2016 GMT
> verify return:1
> depth=0 CN = *.halon.org.uk
> notAfter=Dec  8 16:21:36 2016 GMT
> verify return:1
> 
I just have a user login at cheddar.halon.org.uk, it's not my site.
However I have also tried isbd.uk which is my own virtual server and
the certificates there are up to date.  It produces exactly the same
error when I try to use it as a proxy.

I don't believe this is a certificate problem, I think it's something
that has changed in Firefox that needs something different/more to
allow it to work.

-- 
Chris Green

OK, I have used the following command:-

    ssh -fC2qTnN -D 1080 chris at isbd.uk

... and it results in exactly the same error as I originally reported.
So I don't think the port number matters and the certificates at
isbd.uk are up to date.

As I said I'm pretty certain it's something more that Firefox is now
demanding, but I don't know what.

Thanks for your reply, just bouncing ideas back and forth can often
sort this sort of thing out.

-- 
Chris Green

On Mon, 11 Oct 2021 at 19:41, Chris Green <cl at isbd.net>
wrote:
> On Mon, Oct 11, 2021 at 07:13:37PM +1100, Darren Tucker wrote:
> > On Mon, 11 Oct 2021 at 18:54, Chris Green <cl at isbd.net>
wrote:
> > > I used to use the following ssh command to set up a socks5 proxy
to
> > > use with Firefox:-
> > >
> > >     ssh -fC2qTnN -D 8080 chris at cheddar.halon.org.uk
> >
> > 8080 is more often used for http proxies whereas 1080 is the
> > registered port for SOCKS.  Which are you using?
> >
> Well the command above is exactly what I have in my script for doing
> this, so I was using 8080.  Firefox allows you to specify what port to
> use so I just set 8080 there too.  I can certainly try 1080 instead.
I meant which *proxy protocol* are you using?  Firefox supports two:
HTTP (commonly port 3128 or 8080, with GET and CONNECT variants for
HTTP and HTTPS respectively) and SOCKS (commonly port 1080).   ssh -D
offers only SOCKS.

Firefox has multiple places to configure proxies: several for HTTP
proxies (http, https, and ftp) plus one for SOCKS.  If you point a
HTTP-style proxy setting at a SOCKS proxy server like ssh -D then it's
not going to work.  You should only have the SOCKS proxy setting
populated.



--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.