It is not supported in the current version officially.
However, we already added possibility to utilize certificate validations. But it is not finalized yet, so it is not public.
You can use this undocumented config.yaml
setting:
validationOptions: AcceptAll
Or when adding new tunnel using command line interface use:
--validation-options AcceptAll
We will finalize this in a future release.
Please note that AcceptAll
setting will completely skip certificate validation (which is similar to disabling TLS). This can be acceptable if the TLS Proxy and the target server are in the same protected private network (or when the proxy is running on the same machine as the target server). However, it is unsafe and I strongly discourage to do this if the communication between the proxy and the target server goes over unsecure network (such as internet).
What I would do personally:
- Issue self-signed root for my company.
- Issue certificate for target server with only available usage of Server Authentication
.
- Add the self-signed company root certificate to Trusted Root Certificates on machine the proxy is running - this will cause the proxy succeeds when validating target server's certificate, keeping the connection between proxy and target server secure.
- Keep the self-signed root locked on an USB stick in a company vault; or the self-signed root with associated private key can be deleted, only public part of the certificate needs to be stored (deleting is the most secure solution - if new server certificate needs to be issued, new self-signed root must be issued as well and added to trusted roots by administrator).
The above discusion will solve the error on proxy side. If the client is having similar issue with self-signed certificate (connection between client and proxy) the client must handle the error (not the proxy).
You can:
- Disable TLS on proxy and set up clients to connect without TLS.
- Disable certificate check on client (which is not suggested, because it is practially same as disabling TLS).
- Add proxy certificate to known certificates in the client app (if the client app has such functionality).
- Use solution as suggested above (install self-signed company root on client machine).