Hi all,
I'm hoping that there's a way to configure a server as a TLS1 (or SSL3) to TLS1.2 proxy or relay.
I have some really old workstations running Suse 8 that cannot be updated or changed. They utilize a version of Firefox that supports up to TLSv1. The problem is they need to connect to a web server that in the near future will only support TLS1.2
My first thought was to have an interim machine that the users can "ssh -X" to and run a newer Firefox that supports TLSv1.2 but I was wondering if the proxy method would work.
| workstation | <---ssl3/tls1---> | proxy | <---tls1.2---> | Apache svr |
Thanks in advance for your help.
(not sure if this should go in Networking Support ??)
TLS1 to TLS1.2 Proxy or relay
Re: TLS1 to TLS1.2 Proxy or relay
Put an Apache proxy server in front of these old machines.
With Apache ProxyPass you can redirect http to https and vice versa. See for example http://www.giuseppeurso.eu/en/redirect- ... proxypass/
With Apache ProxyPass you can redirect http to https and vice versa. See for example http://www.giuseppeurso.eu/en/redirect- ... proxypass/
Re: TLS1 to TLS1.2 Proxy or relay
However, what you're describing is pretty much a man in the middle attack and I'd expect it to fail. I'd _hope_ it would fail...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: TLS1 to TLS1.2 Proxy or relay
Clients with old software that cannot use TLS1.2 are by all means insecure and should never be given access to a public network. These clients should never be able to access something that you cannot fully trust and should even be restricted as much as possible on the internal network.
Using a proxy to strip the https is indeed a "man-in-the-middle" situation, so any users must be informed of this. If you do not explicitly inform the users, you are in many countries in violation of the law. (I wish I could have left out "in many countries" from the previous sentence.) As TrevorH rightfully points out, I should have mentioned this in my earlier contribution.
Also, if you automatically strip off https this way, you loose any information on certificate failures or warnings. Be aware of the security implications that come with that.
Using a proxy to strip the https is indeed a "man-in-the-middle" situation, so any users must be informed of this. If you do not explicitly inform the users, you are in many countries in violation of the law. (I wish I could have left out "in many countries" from the previous sentence.) As TrevorH rightfully points out, I should have mentioned this in my earlier contribution.
Also, if you automatically strip off https this way, you loose any information on certificate failures or warnings. Be aware of the security implications that come with that.
Re: TLS1 to TLS1.2 Proxy or relay
We are fully aware of the security issues and will inform users. The network (user workstations and even the web server) is completely internal with no direct access to/from the Internet.
I have many options to try: Firefox through an SSH tunnel, squid+SSL bump and Apache+proxy pass.
Thank you all for your responses. Much appreciated.
PS: I'll wait until I actually figure this out on my own before marking this as solved.
I have many options to try: Firefox through an SSH tunnel, squid+SSL bump and Apache+proxy pass.
Thank you all for your responses. Much appreciated.
PS: I'll wait until I actually figure this out on my own before marking this as solved.