Could you elaborate (or share a configuration example) on how you use stunnel or haproxy to connect an old browser to encrypted websites? I usually use squid for that purpose, but I've been looking for alternatives.
stunnel configuration is useful for a limited number of sites, since one has to specify every remote ip address in the configuration file. haproxy configuration doesnt have that limitation; it can do dns lookups, use maps, etc.
for example, one can force all http and https to connect to a backend as https with a specific tls version. this is much simpler than eff's "https everywhere", IMHO.
the problem with tls is it keeps changing. as users, we have to bet that every application will stay up-to-date with the changes, and that the software authors wont make mistakes when adding/updating tls support. IME, this has been a losing bet. by just focusing on haproxy and stunnel i only have to worry about a couple of applications staying up-to-date with tls and implementing support correctly.
Thanks for elaborating. I'd be grateful for any resources or configuration examples that explain how to do this with haproxy in more detail. I couldn't really find anything, but then again, I'm not experienced with haproxy.
1vuio0pswjnm7|4 years ago
for example, one can force all http and https to connect to a backend as https with a specific tls version. this is much simpler than eff's "https everywhere", IMHO.
the problem with tls is it keeps changing. as users, we have to bet that every application will stay up-to-date with the changes, and that the software authors wont make mistakes when adding/updating tls support. IME, this has been a losing bet. by just focusing on haproxy and stunnel i only have to worry about a couple of applications staying up-to-date with tls and implementing support correctly.
john-aj|4 years ago