ssh proxy connection used to work with Firefox, now doesn't

[Jochen Bern]

On 11.10.21 09:52, Chris Green wrote:
> I used to use the following ssh command to set up a socks5 proxy to
> use with Firefox:-
>      ssh -fC2qTnN -D 8080 chris at cheddar.halon.org.uk
> However I now get a security error from Firefox when I try it:-
[...]
> Has anyone else encountered this and/or does anyone know how to fix it?
[...]> It happens for *every* site you try to connect to through the proxy,
> I've tried Google, some of my own sites, other search engines, etc.

I'm under the impression that one shouldn't put too much trust into the 
exact wording of Firefox' error messages, so my recommendation is to 
verify the setup, step by step, with "more basic" tools. As in,

1. "telnet 127.0.0.1 8080" to verify that you can (locally) reach the 
SOCKS port (replace "127.0.0.1" with whatever host you specified in 
Firefox' proxy setting),

2. Use nc/ncat/netcat to make a simple! connection through the proxy 
(e.g., to the remote 127.0.0.1 port 22, to see the SSH server's hello)

3. Try Firefox+proxy to make a *non*-SSL connection, ...

Please try without the "-C" option, too, lest it somehow triggers an MTU 
problem or somesuch.

Off the top of my head, potentially relevant changes *in Firefox* (which 
has its own updating mechanism, check whether *that* one has automatic 
updates enabled, too) include "disable TLS 1.0 and 1.1 by default" and 
the set of server IPs exempt from the configured proxying (sometimes 
127.0.0.1/32, sometimes 127.0.0.0/8, ...) - though I cannot see offhand 
how these would affect your entire testing series (against well-known 
external web servers) ...

Regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20211011/23972106/attachment-0001.p7s>