View Single Post
  #1   (View Single Post)  
Old 9th January 2016
e1-531g e1-531g is offline
ISO Quartermaster
Join Date: Mar 2014
Posts: 587
Default Relayd as a HTTPS client

I have posted this to misc mailing list 6th January 2016, but no one replied.

I am using following configuration to connect to TLS websites:
Chromium <-> relayd as a server <-> privo-
xy <-> relayd as a client <-> hostile Internet
I want to focus on relayd as a client in this mailing list thread.
I want to instruct relayd as a client to only connect using TLS versions 1.1 and 1.2
to servers. I don't want TLS version 1.0 and SSL version 3.0. Here is
, I hope relevant, part of my config /etc/relayd.conf:

http protocol certKlient {
        tls no cipher-server-preference
        tls no tlsv1.0
        tls  tlsv1.1
        tls  tlsv1.2
        tls ca key "/etc/ssl/private/ca.key" password "domek" # i will change that in   a future
        # i don't use that config to my bank account and other relevant websites
        tls ca cert "/etc/ssl/ca.crt"
        tls ciphers "HIGH:!aNULL:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:-ECDH:ECDHE:+SHA384:+SHA256" 

relay  SendReencryptNormal {
        listen on port 7443
        protocol certKlient
        forward with tls to destination
The problem is that I can type into terminal something like:

openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -no_ssl3 -no_tls1_1 \
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www  -tls1
and tell Chromium to go to:
and it will connect using TLS version 1.0.

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Protocol : TLSv1
Session-ID-ctx: 01000000
Master-Key: EC6722729D895BEBEDAEDF1964920A6EDEC11674F5FC7F213C 1449AE1CA19C393AD995 \
2FBC7B8023ECD7767D72B47D9B Start Time: 1452113060
Timeout : 300 (sec)
Verify return code: 0 (ok)

I can also go to:
and this website also tells me, that I can be connected using TLS version 1.0.

So this is my main problem: I don't want to connect using TLS version 1.0.

What should I add to /etc/relayd.conf to prevent that?
Reply With Quote