alex1216 | So, I have PR1.2 with the latest CSSU-testing, and the BrowserLeaks SSL test says that Fennec can handle only TLS1.0... | 21:37 |
---|---|---|
sicelo | for TLS1.2, pretty much your only choice is a debian browser through easy debian, e.g. midori. Opera Mobile does have *some* TLS1.2 support iirc, which you have to enable manually in its config. It's hit-and-miss though. | 21:40 |
sicelo | someone made a local proxy, e.g. using nginx - that's something you can explore too | 21:41 |
alex1216 | sicelo: Speaking about OM, that is interesting. What versions of OM can be tweaked like this? It can even revive WinMo and Symbian a bit! | 21:41 |
alex1216 | sicelo: That proxy can be brought up in Easy Debian chroot, right? | 21:42 |
sicelo | OM12.1 on Fremantle, iirc (my N900 needs charging, i would confirm for you) | 21:42 |
sicelo | proxy - iirc it's statically compiled, and runs in fremantle, no chroot | 21:43 |
alex1216 | That's good. Are there a guide or binaries somewhere? | 21:45 |
Maxdamantus | Might be referring to my proxy, which doesn't use nginx. I don't think nginx quite helps. | 21:45 |
alex1216 | Maxdamantus: It is more about stunnel, isn't it? | 21:45 |
Maxdamantus | https://gist.github.com/Maxdamantus/e32ab94dbc5d9d43298428400020620e | 21:45 |
Maxdamantus | Not quite. It's just a MITM proxy. | 21:46 |
Maxdamantus | So your browser connects using its SSL through the proxy, and the proxy connects to the actual server using a newer version of openssl. | 21:47 |
sicelo | the nginx way - https://talk.maemo.org/showthread.php?p=1566371#post1566371 | 21:47 |
sicelo | so yeah, you have a lot of options :) | 21:47 |
Maxdamantus | The proxy will generate certificates on-the-fly which are signed by the provided CA cert, and the browser needs to trust that CA cert. | 21:47 |
Maxdamantus | Heh, that nginx "solution" is pretty funny. | 21:48 |
Maxdamantus | as mentioned, it's going to break links, since the browser needs to be making the requests over http rather than https. | 21:49 |
Maxdamantus | gtg | 21:49 |
alex1216 | Maxdamantus: I think it will manage to work this way too. | 21:51 |
alex1216 | Are stunnel or privoxy are good ideas too? | 21:51 |
alex1216 | Anyway, thanks everyone. I'm going to try every option, at least now I've known them a little. :) | 21:54 |
sicelo | yw | 21:54 |
Maxdamantus | I don't think stunnel itself will quite achieve either. | 21:56 |
Maxdamantus | if you want to do the SSL upgrade thing, you'd need something which generates certificates on-the-fly, which is done in my proxy. | 21:58 |
Maxdamantus | If you want to forward HTTP connections to HTTPS, you'd still need something to parse out HTTP headers, which is what nginx does in that other solution. | 21:58 |
Maxdamantus | You might be able to do something fairly crude with a shell script to parse out specifically the "Host" header and remove any "Connection: keep-alive" header, and also add a "Connection: close" header. | 22:00 |
Maxdamantus | Might need to make sure that the response also has a "Connection: close" header, since theoretically HTTP/1.1's default is keep-alive. | 22:01 |
Maxdamantus | The "Connection" header manipulation is important because if you don't do that, you'll also need to handle "Content-length: X" and "Transfer-encoding: chunked" in order to know when the headers for the next request start. | 22:03 |
Maxdamantus | ~ | 22:05 |
bencoh | Maxdamantus: I've always wondered how the n900 performed with that | 23:26 |
bencoh | decrypting/encrypting stuff sounds slightly expensive, especially considering we don't have AES hw accel iirc | 23:27 |
Maxdamantus | I don't think it's that significant, though I haven't really benchmarked it. | 23:44 |
Maxdamantus | I think the main performance issue I've noticed is in signing the certifiates, which is done per connection. | 23:46 |
Maxdamantus | I've been meaning to refactor it so that it uses only one thread and so that it can cache certificates, haven't got round to that yet. | 23:46 |
Maxdamantus | it might be possible in either case to just use weaker encryption for the local stuff anyway, if that provides a significant improvement. | 23:47 |
Maxdamantus | using 5 MiB of the cachefly test, I got 353 KiB/s without the proxy and 404 KiB/s with the proxy. | 23:55 |
Maxdamantus | on cellular data atm, will do a better benchmark at home on WiFi. | 23:55 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!