Re: Considering HAProxy to Bump TLS 1.1 Traffic to TLS 1.2

[Marco Corte]

Hello, Ryan!

I also propose a different approach... just in case.

I had the same problem with some further constraints.
The Java client runs on Windows and an haproxy instance running on 
another server was very difficult to setup complying to all the security 
policies.


In this case it was much easier to setup a stunnel instance on the 
Windows server instead of fighting with the security auditor ;-)


.marcoc

Re: Considering HAProxy to Bump TLS 1.1 Traffic to TLS 1.2

[Lukas Tribus]

Hello Ryan,


Am 16.03.2017 um 17:02 schrieb Ryan Collier:
We have a legacy application that can only use TLS 1.1 due to the 
version of Java it supports (1.6). We connect to a third party for 
credit card authorizations, and they are going to be upgrading their 
web services endpoint to only accept TLS 1.2 traffic sometime over the 
Summer. We need to setup a proxy to intercept the TLS 1.1 traffic and 
bump it up to TLS 1.2 so that we can remain compliant. Can HAProxy do 
what I just described?


Haproxy can definitely do that. You would just configure the destination 
server as a backend with TLS termination enabled and configure your 
frontend as you need (with TLS or even plaintext).


Don't mess around with parameters like force-tlsv... etc, the correct 
TLS version will be negotiated.




cheers,
lukas

Considering HAProxy to Bump TLS 1.1 Traffic to TLS 1.2

[Ryan Collier]

Hello,

We have a legacy application that can only use TLS 1.1 due to the version of 
Java it supports (1.6). We connect to a third party for credit card 
authorizations, and they are going to be upgrading their web services endpoint 
to only accept TLS 1.2 traffic sometime over the Summer. We need to setup a 
proxy to intercept the TLS 1.1 traffic and bump it up to TLS 1.2 so that we can 
remain compliant. Can HAProxy do what I just described?

Thank you,

Ryan Collier
Lamps Plus
Unix/Linux Systems Administrator
rcoll...@lampsplus.com
Office | 1-818-428-4392