Re: Relayd TLS inspection and SNI

2021-05-21 Thread BS Daemon
54.1% of surveyed sites support TLSv1.2 as their best protocol.   Thanks! > Sent: Friday, May 21, 2021 at 3:08 AM > From: "Stuart Henderson" > To: misc@openbsd.org > Subject: Re: Relayd TLS inspection and SNI > On 2021-05-18, BS Daemon wrote: >> I like using the ba

Re: Relayd TLS inspection and SNI

2021-05-21 Thread Stuart Henderson
On 2021-05-21, Martin wrote: > Hi, > > MITM is an ancient attack technique and it is not a good idea because it > breaks original cert chain. So client (application) will see that cert is > different on its end. Most people and apps reject connection to a resource > with fake cert which you're

Re: Relayd TLS inspection and SNI

2021-05-21 Thread Martin
Hi, MITM is an ancient attack technique and it is not a good idea because it breaks original cert chain. So client (application) will see that cert is different on its end. Most people and apps reject connection to a resource with fake cert which you're going to send to them. But you can use

Re: Relayd TLS inspection and SNI

2021-05-21 Thread Stuart Henderson
On 2021-05-18, BS Daemon wrote: >I like using the base OpenBSD utilities, and was > wondering if I'm doing something wrong, if relayd could be made to > support SNI for man-in-the-middle, or if there is an alternative > tool for doing this which would work. I can't help with

Relayd TLS inspection and SNI

2021-05-20 Thread BS Daemon
I am hoping that I'm just doing something wrong, but it appears that while relayd supports some Server Name Identification (SNI) functionality, it does not support SNI for it's man-in-the-middle / TLS inspection configuration. Years ago I used relayd to permit access only to certain browsers by