CODEWITHSUNDEEP
apachesecuritysslproxyreverse-proxy
user13540880
user13540880

Reputation: 31

How to hide weak SSL behind a Proxy?

So im having the following Setup:

Weak TLS 1.0 Application <--> DMZ Reverse Proxy <--> The Client

The Apache-Vhost is configured like that:

HTTP:

<VirtualHost x.x.x.x:80>
  ServerName weak.application.de
  Redirect / https://weak.application.de/
</VirtualHost>

HTTPS: 

<VirtualHost x.x.x.x:443>
  ServerName weak.application.de:443

  SSLEngine on
  SSLCipherSuite AES256+EECDH:AES256+EDH
  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLHonorCipherOrder On
  SSLCompression off
  SSLCertificateFile /actual/cert/of/the/application
  SSLCertificateKeyFile /actual/key/of/the/application
  SSLCertificateChainFile /actual/intermediate_chain/of/the/application

  SSLProxyEngine On
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
ProxyRequests Off
ProxyPass / https://weak.application.de/
ProxyPassReverse / https://weak.application.de/

</VirtualHost>

And is working fine. But i just noticed the following: When connecting using openssl s_client on the Proxy IP for this Application, i get connected with TLS 1.2, like intended

But when im accessing the same IP with my Browser, the Certificate Details tells me that im Connected using TLS 1.0 which is weak.

Is there a proper Way to hide the weak TLS behind the Proxy? Did i missed out something?

I would like to have something like this: Weak Application <- TLS 1.0 -> DMZ Reverse Proxy <- TLS 1.2 -> The Client

i am using Apache/2.4.6 on Centos 7.8. Thanks in advance

Cheers, Tomasz

Upvotes: 2

Views: 2472

Answers (1)

user13540880
user13540880

Reputation: 31

I just figured out that this was some kind caching/session issue. The config is correct, and after reloading httpd and using Private-Surfing i was able to connect with the weak server via proxy, but it looks like we are using TLS 1.2.

Since i am sending Requests to the Server using the Proxy IP as Hostname, i additionally had to add the following lines in order to prevent Server Errors: 

SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

Simply because the Proxy IP is not a CN or SAN in the Certificate of the Weak Server. So there would be a mismatch. When going live, these Options should be removed.

I Hope this helps someone. Correct me if im Wrong. Bye

Upvotes: 1

Related Questions