DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 9th January 2016
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 500
Default Relayd as a HTTPS client

I have posted this to misc mailing list 6th January 2016, but no one replied.

Hi,
I am using following configuration to connect to TLS websites:
Chromium <-> relayd as a server <-> privo-
xy <-> relayd as a client <-> hostile Internet
I want to focus on relayd as a client in this mailing list thread.
I want to instruct relayd as a client to only connect using TLS versions 1.1 and 1.2
to servers. I don't want TLS version 1.0 and SSL version 3.0. Here is
, I hope relevant, part of my config /etc/relayd.conf:

Code:
http protocol certKlient {
        tls no cipher-server-preference
        tls no tlsv1.0
        tls  tlsv1.1
        tls  tlsv1.2
        tls ca key "/etc/ssl/private/ca.key" password "domek" # i will change that in   a future
        # i don't use that config to my bank account and other relevant websites
        tls ca cert "/etc/ssl/ca.crt"
        tls ciphers "HIGH:!aNULL:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:-ECDH:ECDHE:+SHA384:+SHA256" 
        pass
}

relay  SendReencryptNormal {
        listen on 127.0.0.1 port 7443
        protocol certKlient
        forward with tls to destination
}
The problem is that I can type into terminal something like:

Code:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -no_ssl3 -no_tls1_1 \
-no_tls1_2
or
Code:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www  -tls1
and tell Chromium to go to: https://127.0.0.1:44330/
and it will connect using TLS version 1.0.

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID:
Session-ID-ctx: 01000000
Master-Key: EC6722729D895BEBEDAEDF1964920A6EDEC11674F5FC7F213C 1449AE1CA19C393AD995 \
2FBC7B8023ECD7767D72B47D9B Start Time: 1452113060
Timeout : 300 (sec)
Verify return code: 0 (ok)

I can also go to:
https://www.ssllabs.com/ssltest/viewMyClient.html
and this website also tells me, that I can be connected using TLS version 1.0.

So this is my main problem: I don't want to connect using TLS version 1.0.

What should I add to /etc/relayd.conf to prevent that?
Reply With Quote
 

Tags
client, https, relayd, tls

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Strong cipher config for relayd e1-531g OpenBSD Security 1 5th September 2015 03:05 AM
relayd gpatrick OpenBSD General 0 8th May 2012 10:10 PM
OBSD client hangs mounting NFS; Linux client doesn't amorphousone OpenBSD General 7 26th August 2010 05:21 AM
relayd gpatrick OpenBSD General 1 16th January 2010 12:19 AM
relayd won't work with multiple relays d0z3r OpenBSD General 0 26th June 2008 09:58 AM


All times are GMT. The time now is 06:14 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick