Most WWW browsers removed support for TLS v1.0 & v1.1, including browsers on tablets, etc. I just need an easy way to connect to my old router and I will need access it during migration to some newer replacement.
I have found that "HAProxy" can be used to create a proxy with TLS v1.3 to device with TLS v1.0, described at https://discourse.haproxy.org/t/frontend-tls1-3-backend-tls1-0/4162 HAProxy configuration is tricky, this is my configuration that I can start at PC with Ubuntu and allows me to connect with any modern WWW browser to my old router. It is a workaround. This is my first configuration of HAProxy, experienced user can design better solution... EXAMPLE. HAProxy listens at https://localhost:4444 and redirects to web admin interface of my router that is at https:192.168.222.1:445 ``` $ cat haproxy-firewall.cfg # haproxy -f haproxy-firewall.cfg global # global settings here tune.ssl.default-dh-param 2048 defaults # defaults here timeout connect 5s timeout client 50s timeout server 50s frontend firewall_in_4444 # a frontend that accepts requests from clients bind *:4444 tfo ssl crt firewall.crt mode http option forwardfor http-request redirect scheme https code 301 if !{ ssl_fc } http-request redirect scheme https if !{ ssl_fc } http-request add-header X-Forwarded-Proto https http-response set-header X-Content-Type-Options: nosnif http-response set-header Referrer-Policy no-referrer-when-downgrade default_backend firewall_in_445 backend firewall_in_445 # servers that fulfill the requests mode http option forwardfor option http-server-close http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } # CONNECT TO THE ROUTER server firewall 192.168.222.1:445 maxconn 50 ssl verify none cookie firewall1 ``` Config file refers to TLS certificate firewall.crt, I used certificates from my router but you can create whatever you need. File firewall.crt looks like this: ``` $ cat firewall.crt -----BEGIN CERTIFICATE----- MIIBoTCCAQoCCQD0JGamOKwuIDANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDEwpp ... -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDTR0YioAYxPdq4qKzUVMLDfxUBB+qcd05L39fInHx5MlRhnoKX .... -----END RSA PRIVATE KEY----- ``` TEST: ``` $ curl -v -s --tlsv1.3 https://localhost:4444 * Rebuilt URL to: https://localhost:4444/ * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 4444 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS Unknown, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Unknown (8): * TLSv1.3 (IN), TLS Unknown, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS alert, Server hello (2): * SSL certificate problem: self signed certificate * stopped the pause stream! * Closing connection 0 ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964122 Title: Cannot connect to router with admin page over TLS v1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1964122/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
