Lampshade([email protected]) on 2016.01.10 14:35:05 +0100:
> I have reported this to misc with subject
> Relayd as a HTTPS client
> but no one replied.
Hi,
with a config like this:
# -----------------------------------------
log all
http protocol myproxy {
match request path log "*"
pass
}
relay https_proxy {
listen on 127.0.0.1 port 7443 tls
protocol myproxy
forward with tls to destination
}
# -----------------------------------------
you will have TLS 1.2 coonections only both between the client and relayd
and between relayd and the Server. If one of them does not allow 1.2, the
connection will fail.
With the options
tls { no tlsv1, tlsv1.1, tlsv1.2 }
you will have all connections (both between client and relayd and between
relayd and server at least with TLS 1.1).
If this does not help you, please provide your complete configuration, dmesg
and say what you are trying to do.
Best regards,
Benno
> On snapshot January 7, 2016 amd64
> relayd accepts connections using TLS in versions
> 1.1 and 1.0. It is true even if you just do something like:
>
> relay SendReencryptNormal {
> listen on 127.0.0.1 port 7443
> forward with tls to destination
> }
>
> Manpage tells that by default Relayd uses TLS only
> in version 1.2. I have also tested config with explicit
> protocol declaration and within that protocol
> I specified tls no tlsv1.0 option.
>
> You can test behaviour via:
> openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -no_tls1_1
> -no_tls1_2
> or
> openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -tls1
> or go to:
> https://www.ssllabs.com/ssltest/viewMyClient.html
>
> This is message I posted to misc few days ago:
>
> Hi,
> I am using following configuration to connect to TLS websites:
> Chromium <-> relayd as a server <-> privo-
> xy <-> relayd as a client <-> hostile Internet
> I want to focus on relayd as a client in this mailing list thread.
> I want to instruct relayd as a client to only connect using TLS versions
> 1.1 and 1.2
> to servers. I don't want TLS version 1.0 and SSL version 3.0. Here is
> , I hope relevant, part of my config /etc/relayd.conf:
>
> http protocol certKlient {
> tls no cipher-server-preference
> tls no tlsv1.0
> tls tlsv1.1
> tls tlsv1.2
> tls ca key "/etc/ssl/private/ca.key" password
> "domek" # i will change that in a future
> # i don't use that config to my bank account and other
> relevant websites
> tls ca cert "/etc/ssl/ca.crt"
> tls ciphers
> "HIGH:!aNULL:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:-ECDH:ECDHE:+SHA384:+SHA256"
> pass
> }
>
> relay SendReencryptNormal {
> listen on 127.0.0.1 port 7443
> protocol certKlient
> forward with tls to destination
> }
>
> The problem is that I can type into terminal something like:
>
> openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -no_ssl3
> -no_tls1_1 -no_tls1_2
> or
> openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -tls1
>
> and tell Chromium to go to: https://127.0.0.1:44330/
> and it will connect using TLS version 1.0.
>
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
> SSL-Session:
> Protocol : TLSv1
> Cipher : ECDHE-RSA-AES256-SHA
> Session-ID:
> Session-ID-ctx: 01000000
> Master-Key:
> EC6722729D895BEBEDAEDF1964920A6EDEC11674F5FC7F213C1449AE1CA19C393AD9952FBC7B8023ECD7767D72B47D9B
> Start Time: 1452113060
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
>
> I can also go to:
> https://www.ssllabs.com/ssltest/viewMyClient.html
> and this website also tells me, that I can be connected using TLS version
> 1.0.
>
> So this is my main problem: I don't want to connect using TLS version
> 1.0.
>
> What should I add to /etc/relayd.conf to prevent that?
>
--
