|
|||
Relayd as a HTTPS client
I have posted this to misc mailing list 6th January 2016, but no one replied.
Hi, I am using following configuration to connect to TLS websites: Chromium <-> relayd as a server <-> privo- xy <-> relayd as a client <-> hostile Internet I want to focus on relayd as a client in this mailing list thread. I want to instruct relayd as a client to only connect using TLS versions 1.1 and 1.2 to servers. I don't want TLS version 1.0 and SSL version 3.0. Here is , I hope relevant, part of my config /etc/relayd.conf: Code:
http protocol certKlient { tls no cipher-server-preference tls no tlsv1.0 tls tlsv1.1 tls tlsv1.2 tls ca key "/etc/ssl/private/ca.key" password "domek" # i will change that in a future # i don't use that config to my bank account and other relevant websites tls ca cert "/etc/ssl/ca.crt" tls ciphers "HIGH:!aNULL:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:-ECDH:ECDHE:+SHA384:+SHA256" pass } relay SendReencryptNormal { listen on 127.0.0.1 port 7443 protocol certKlient forward with tls to destination } Code:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -no_ssl3 -no_tls1_1 \ -no_tls1_2 Code:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -tls1 and it will connect using TLS version 1.0. New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: Session-ID-ctx: 01000000 Master-Key: EC6722729D895BEBEDAEDF1964920A6EDEC11674F5FC7F213C 1449AE1CA19C393AD995 \ 2FBC7B8023ECD7767D72B47D9B Start Time: 1452113060 Timeout : 300 (sec) Verify return code: 0 (ok) I can also go to: https://www.ssllabs.com/ssltest/viewMyClient.html and this website also tells me, that I can be connected using TLS version 1.0. So this is my main problem: I don't want to connect using TLS version 1.0. What should I add to /etc/relayd.conf to prevent that? |
|
||||
I recommend reporting the problem to bugs@, where it is less likely to be missed. This is because TLS v1.0 and v1.1 are disabled by default, according to relayd.conf(5).
Be sure to include your dmesg when you report the problem, since specific release or system build date of -current may be helpful to anyone trying to assist you. |
|
||||
I note you've posted to bugs@. You did not post a dmesg - no one is likely to examine your bug report without one.
Anyone reading your report does not know your architecture, what releaase/flavor you are using, and if you are using either -stable or -current, they do not know when your system was built so there is no way to know what commits to relayd or underlying libraries are involved. http://www.openbsd.org/report.html |
|
|||
I'm doing something similar without privoxy in the middle. I think it's working here on a Dec 05 snapshot.
My tls options are formatted like this: tls { no tlsv1.0, no tlsv1.1, ciphers "HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4" } Relayd can't connect to a site that is only accepting up to tls v1.0 (as confirmed with firefox). Tim. EDIT: On second thought, I realized that the host check to the tls 1.0 site was still passing. So you're right. the tls parameters seem to only apply to the server connection of relayd, not to the client connection. EDIT2: ...Sorry. You got a reply on bugs@, I confirmed what Benno said. But it seems the options don't apply to the host check but do apply to the client connection. Last edited by TronDD; 11th January 2016 at 05:27 PM. |
|
|||
Thanks for answers.
I have tried to reproduce connection today with simpler tools and instead of Chromium I have used echo and nc. Frankly I must admit that relayd fails to connect, so it is good. My rules just don't intercept connections on lo0 interface and don't tried to intercept on ports other than 443. First was cause of false positive using local openssl-base server, second using ssllabs web page. It turns out that it was my fault. Sorry. |
Tags |
client, https, relayd, tls |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Strong cipher config for relayd | e1-531g | OpenBSD Security | 1 | 5th September 2015 03:05 AM |
relayd | gpatrick | OpenBSD General | 0 | 8th May 2012 10:10 PM |
OBSD client hangs mounting NFS; Linux client doesn't | amorphousone | OpenBSD General | 7 | 26th August 2010 05:21 AM |
relayd | gpatrick | OpenBSD General | 1 | 16th January 2010 12:19 AM |
relayd won't work with multiple relays | d0z3r | OpenBSD General | 0 | 26th June 2008 09:58 AM |