Relayd in TlsClient mode accepts TLSv1 and TLSv1.1

Sun, 10 Jan 2016 06:40:26 -0800 

I have reported this to misc with subject
Relayd as a HTTPS client
but no one replied.

On snapshot January 7, 2016 amd64
relayd accepts connections using TLS in versions
1.1 and 1.0. It is true even if you just do something like:

relay  SendReencryptNormal {
       listen on 127.0.0.1 port 7443
        forward with tls to destination
}

Manpage tells that by default Relayd uses TLS only
in version 1.2. I have also tested config with explicit
protocol declaration and within that protocol
I specified tls no tlsv1.0 option.

You can test behaviour via:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www  -no_tls1_1
-no_tls1_2
or
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www  -tls1
or go to:
https://www.ssllabs.com/ssltest/viewMyClient.html

This is message I posted to misc few days ago:

Hi,
I am using following configuration to connect to TLS websites:
Chromium <-> relayd as a server <-> privo-
xy <-> relayd as a client <-> hostile Internet
I want to focus on relayd as a client in this mailing list thread.
I want to instruct relayd as a client to only connect using TLS versions
1.1 and 1.2
to servers. I don't want TLS version 1.0 and SSL version 3.0. Here is
, I hope relevant, part of my config /etc/relayd.conf:

http protocol certKlient {
        tls no cipher-server-preference
        tls no tlsv1.0
        tls  tlsv1.1
        tls  tlsv1.2
        tls ca key "/etc/ssl/private/ca.key" password
"domek" # i will change that in a future
        # i don't use that config to my bank account and other
relevant websites
        tls ca cert "/etc/ssl/ca.crt"
        tls ciphers
"HIGH:!aNULL:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:-ECDH:ECDHE:+SHA384:+SHA256"
        pass
}

relay  SendReencryptNormal {
       listen on 127.0.0.1 port 7443
        protocol certKlient
        forward with tls to destination
}

The problem is that I can type into terminal something like:

openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -no_ssl3
-no_tls1_1 -no_tls1_2
or
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www  -tls1

and tell Chromium to go to: https://127.0.0.1:44330/
and it will connect using TLS version 1.0.

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 
    Session-ID-ctx: 01000000
    Master-Key:
EC6722729D895BEBEDAEDF1964920A6EDEC11674F5FC7F213C1449AE1CA19C393AD9952FBC7B8023ECD7767D72B47D9B
    Start Time: 1452113060
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

I can also go to:
https://www.ssllabs.com/ssltest/viewMyClient.html
and this website also tells me, that I can be connected using TLS version
1.0.

So this is my main problem: I don't want to connect using TLS version
1.0.

What should I add to /etc/relayd.conf to prevent that?

Reply via email to