I have posted this to misc mailing list 6th January 2016, but no one replied.
Hi,
I am using following configuration to connect to TLS websites:
Chromium <-> relayd as a server <-> privo-
xy <-> relayd as a client <-> hostile Internet
I want to focus on relayd as a client in this mailing list thread.
I want to instruct relayd as a client to only connect using TLS versions 1.1 and 1.2
to servers. I don't want TLS version 1.0 and SSL version 3.0. Here is
, I hope relevant, part of my config /etc/relayd.conf:
Code:
http protocol certKlient {
tls no cipher-server-preference
tls no tlsv1.0
tls tlsv1.1
tls tlsv1.2
tls ca key "/etc/ssl/private/ca.key" password "domek" # i will change that in a future
# i don't use that config to my bank account and other relevant websites
tls ca cert "/etc/ssl/ca.crt"
tls ciphers "HIGH:!aNULL:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:-ECDH:ECDHE:+SHA384:+SHA256"
pass
}
relay SendReencryptNormal {
listen on 127.0.0.1 port 7443
protocol certKlient
forward with tls to destination
}
The problem is that I can type into terminal something like:
Code:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -no_ssl3 -no_tls1_1 \
-no_tls1_2
or
Code:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -tls1
and tell Chromium to go to:
https://127.0.0.1:44330/
and it will connect using TLS version 1.0.
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID:
Session-ID-ctx: 01000000
Master-Key: EC6722729D895BEBEDAEDF1964920A6EDEC11674F5FC7F213C 1449AE1CA19C393AD995 \
2FBC7B8023ECD7767D72B47D9B Start Time: 1452113060
Timeout : 300 (sec)
Verify return code: 0 (ok)
I can also go to:
https://www.ssllabs.com/ssltest/viewMyClient.html
and this website also tells me, that I can be connected using TLS version 1.0.
So this is my main problem: I don't want to connect using TLS version 1.0.
What should I add to /etc/relayd.conf to prevent that?