View Single Post
  #1   (View Single Post)  
Old 9th January 2016
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 539
Default Relayd as a HTTPS client

I have posted this to misc mailing list 6th January 2016, but no one replied.

Hi,
I am using following configuration to connect to TLS websites:
Chromium <-> relayd as a server <-> privo-
xy <-> relayd as a client <-> hostile Internet
I want to focus on relayd as a client in this mailing list thread.
I want to instruct relayd as a client to only connect using TLS versions 1.1 and 1.2
to servers. I don't want TLS version 1.0 and SSL version 3.0. Here is
, I hope relevant, part of my config /etc/relayd.conf:

Code:
http protocol certKlient {
        tls no cipher-server-preference
        tls no tlsv1.0
        tls  tlsv1.1
        tls  tlsv1.2
        tls ca key "/etc/ssl/private/ca.key" password "domek" # i will change that in   a future
        # i don't use that config to my bank account and other relevant websites
        tls ca cert "/etc/ssl/ca.crt"
        tls ciphers "HIGH:!aNULL:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:-ECDH:ECDHE:+SHA384:+SHA256" 
        pass
}

relay  SendReencryptNormal {
        listen on 127.0.0.1 port 7443
        protocol certKlient
        forward with tls to destination
}
The problem is that I can type into terminal something like:

Code:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -no_ssl3 -no_tls1_1 \
-no_tls1_2
or
Code:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www  -tls1
and tell Chromium to go to: https://127.0.0.1:44330/
and it will connect using TLS version 1.0.

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID:
Session-ID-ctx: 01000000
Master-Key: EC6722729D895BEBEDAEDF1964920A6EDEC11674F5FC7F213C 1449AE1CA19C393AD995 \
2FBC7B8023ECD7767D72B47D9B Start Time: 1452113060
Timeout : 300 (sec)
Verify return code: 0 (ok)

I can also go to:
https://www.ssllabs.com/ssltest/viewMyClient.html
and this website also tells me, that I can be connected using TLS version 1.0.

So this is my main problem: I don't want to connect using TLS version 1.0.

What should I add to /etc/relayd.conf to prevent that?
Reply With Quote