Ask a Question

Rebex TLS Proxy for PBX

0 votes
by (130 points)

Looking for some help.

We are using an older version of a phone server that is using XP Embedded as an OS. The system will continue to operate as the phones don't run windows, so they will continue to communicate with it. There is a phone proxy server in place (running linux) running SIP, so that will continue. The Windows interface which acts as a phonebook phone dialer and caller id is starting to break because of the complete disabling of TLS1.0 as windows updates run through the office. (Response Point PBX by Microsoft that was abandoned in 2010, so no chance of an update from them). The PBX has a self-signed certificate SHA1 that the phone app no longer can access the system. I'm trying to figure out if I have to setup another proxy server to be a go-between or if I have to install this on the PBX itself. Because the PBX is running XP embedded. So do I install this as a proxy or do I have to install Rebex on the PBX? Is there a good document on setup options?

Applies to: Rebex TLS

1 Answer

–1 vote
by (72.7k points)

The Rebex TLS Proxy uses .NET 6 runtime, which is not available on Windows XP (please see list of supported platforms).

However, we also offer a light-weight version of the TLS Proxy suitable for Windows XP - Rebex Tiny TLS Proxy.

To display setup options, please check Rebex TLS Proxy homepage or run:

  • For TLS Proxy: tlsproxy.exe tunnel add -?
  • For Tiny TLS Proxy: RebexTinyTlsProxy.exe -h
by (130 points)
So I can't install Regex on the PBX server because I can't force the port 443 through the proxy first so I took another server with the intent to be a proxy (Similar to how our VOIP is working)
so I installed with an 80 and 443 proxy to route to the PBX, but I get the following errors in the log

config:
- name: RPs
  in:
    address: 192.168.0.206 #Proxy Server
    port: 443
    protocol: TLS
    tlsVersions: TLS13
  out:
    #address: 192.168.0.189 #PBX Server
    #address: Microsoft Response Point base unit (00:XX:XX:XX:72:69)
    (The Actual MAC address were replaced with XX for protection here)
    port: 443
    protocol: TLS
    tlsVersions: TLS10

Log:
2022-11-14 22:23:55.357 [DBG] Tunnel(1)[#1 'RPs'][O]: jay: Server certificate was rejected by the verifier because the certificate's common name 'Microsoft Response Point base unit (00:XX:XX:XX:72:69)' does not match the hostname '192.168.0.189'.

So I tried to add the name to the hosts file (since the server would be the only one who would need this)
2022-11-14 22:41:46.843 [INF] Tunnel(1)[#1 'RPs'][O]: Resolving 'Microsoft Response Point base unit (00:XX:XX:XX:72:69)'.
2022-11-14 22:41:18.674 [INF] Tunnel[#1 'RPs']: Listening at 192.168.0.206:443 (forwarding to Microsoft Response Point base unit (00:XX:XX:XX:72:69):443) ...

and I get this
2022-11-14 22:41:46.866 [WRN] Tunnel(1)[#1 'RPs'][-]: (192.168.0.48) Cannot start outbound tunnel due to: System.Net.Sockets.SocketException: No such host is known.

I Tried to add the name to the variable "ServerNames" but the Rebex exceptioned out and failed to start

now I can't change the common name as this is what the certificate is from 2008 and abandoned by Microsoft with apparently no way to generate a new one.  Now when the "assistant' does its search, it does come up with a name "OEM-S1Z...", but obviously doesn't match the name of the certificate.  I can punch in the IP address of the proxy, but with the error above, is failing out

I actually was able to install a new TLS 1.2 certificate on the PBX server and attempt to use that, but they put some check in there and I get "some aspects of the security certificate are not correct", so who knows what Microsoft put in, but the PBX has it's own selfcert exe, my guess is they jumbled the hash so that only it's generator is a valid one.  Currently the selfcert comes up with an error 0x5, my guess is after upgrading the XP embedded OS of the PBX to SP3 and the POS upgrade to enable TLS1.3 is causing the PBX's version of selfcert to freak.  My guess is if I changed the name, the assistant would freak on that too.

Any Ideas on how I can proceed?
by (72.7k points)
To solve error: "Server certificate was rejected by the verifier because the certificate's common name 'Microsoft Response Point base unit (00:XX:XX:XX:72:69)' does not match the hostname '192.168.0.189'." please use the `sniOverride` config key and set it to desired common name of the server = 'Microsoft Response Point base unit (00:XX:XX:XX:72:69)'.

Please see documentation for `sniPreserve` key in the config-sample.yaml file:

    # Assigns specific SNI to outbound tunnel. Optional.
    # Useful especially when host on outbound tunnel is specified by IP address.
    # If specified, the `sniPreserve` option is ignored.
    sniOverride: www.example.com

For `address` use desired IP: 192.168.0.189
You should not need to update hosts file.
by (130 points)
So I have tried about 15 different variations
    #servernames: Microsoft Response Point base unit (00:XX:XX:XX:72:69)
    servernames: "*"
    sniPreserve: true
    #sniOverride: Microsoft Response Point base unit (00:XX:XX:XX:72:69)
    sniOverride: '192.168.0.189'

and all I get when I reload the proxy server is

ERROR Cannot start service 'RebexTlsProxy' on computer '.'.
System.InvalidOperationException: Cannot start service 'RebexTlsProxy' on computer '.'.
 ---> System.ComponentModel.Win32Exception (1053): The service did not respond to the start or control request in a timely fashion.
   --- End of inner exception stack trace ---
   at System.ServiceProcess.ServiceController.Start(String[] args)
   at System.ServiceProcess.ServiceController.Start()
   at hjd.<>c.uft(ServiceController oz)
   at hjd.yht(Action`1 ou, ServiceControllerStatus ov)
   at hjd.yhq()
   at hjh.<>c.vqq(hjd qg)
   at hjg.kdy[b](String px, Func`2 py)
   at hjh.cth(String qc)
   at hjf.iix()
   at Rebex.TlsProxy.Cli.SvcStartCliOptionsBase.Run(hjf handler)
   at hhn.Handle(SvcStartStopCliOptionsBase op)
   at System.Dynamic.UpdateDelegates.UpdateAndExecute2[T0,T1,TRet](CallSite site, T0 arg0, T1 arg1)
   at hhn.omp(VerbOptionsBase d)
   at hhr.Main(String[] args)
I'm hoping I'm not overloading the string with being too long (54 bytes), but when I put to "*" that shouldn't be the problem.

Thanks in advance.
by (72.7k points)
The "The service did not respond to the start or control request in a timely fashion." very probably means you made the config.yaml file unparsable. The easiest way to see the error is to run the tlsproxy in interactive mode, type "tlsproxy run".
Or look at the Event Viewer -> Windows Logs -> Application to see the error.

Your yaml.config should look like this:

tunnels:
  - name: RPs
    in:
      address: 192.168.0.206 #Proxy Server
      port: 443
      protocol: TLS
      tlsVersions: TLS13
    out:
      address: 192.168.0.189 #PBX Server
      port: 443
      protocol: TLS
      tlsVersions: TLS10
    certificate: "test" #Certificate of the Proxy Server
    sniOverride: "Microsoft Response Point base unit (00:XX:XX:XX:72:69)" #Common name of the PBX Server's certificate
by (130 points)
I don't know if I should continue this thread or start a new one.  After completely wiping the config file and starting over. Rebex/RP has the semblance of working, but now I am getting a new error.  It properly downloads the certificate from the PBX/Proxy, but now I get an 0x80072f7c error stating the assistant could not log on to the base unit. Doing some searches, I found that this error might translate to ERROR_WINHTTP_REDIRECT_FAILED.  Nothing abnormal shows in the debug log.  The log shows a bunch of work, shows that the app and the PBX shared between 176 and 285 bytes in and 141 bytes out but nothing substantive. Is there a level above "debug" that I can set that might show why this is an issue.
 for all I know Microsoft has some strange Proxy block that will prevent this.  Considering all this app does is show caller id and a phone book, not sure why they had all this protection built in.
Thanks again in advance...
by (72.7k points)
It is up to you, you can continue this thread, or start new thread or write email to support@rebex.net to continue the conversation. Whichever suites you the best.

---

For the ERROR_WINHTTP_REDIRECT_FAILED:
I am not sure what exactly this can mean. However, I have two ideas:

1. You used wrong/invalid certificate on proxy server and the client connecting to the proxy cannot validate the certificate successfully.
   The reason can be same as the previous issue = "common name does not match the hostname". However, now the client is complaining.
   To fix this, the certificate used at the proxy, must be issued for hostname you are using on the client to connect to the proxy.
   If you are using IP address instead of hostname, the certificate must be issued for that IP address, but it depends on the client,
   whether it will validate such certificate successfully. If I am correct, e.g. Google Chrome will not validate such certificate successfully.
   
2. The PBX server uses its certificate to sign data (or part of it) which are sent to the client (e.g. signed SOAP works like this).
   The client tries to verify the signature, but it has two different certificates. One from TLS layer and the second from signed content.
   This can result to ERROR_WINHTTP_REDIRECT_FAILED.
   To fix this, you have to use the exact same certificate on the proxy and PBX server.
   
---

Yes, there is level above Debug. Either execute "tlsproxy run --verbose"
Or maybe more useful is to set up a file logging in the config:

logging:
  global: # Global logger (troubleshooting for debugging purposes)
    location: C:\data\tlsproxy\logs
    minLevel: Verbose

Again, please see config-sample.yaml file for more details.
...