0 votes
by (160 points)

Hi! I'm using machine with Windows XPSP3 and several applications that don't support secure connections. I need to use that applications to connect with servers that support only modern secure connections (TLS 1.2, 1.3). Please explain how to configure your program correctly? Thanks.

1 Answer

+1 vote
by (70.2k points)
selected by
 
Best answer

Please run RebexTinyTlsProxy.exe -h to see available options and syntax.

To add TLS layer to unsecured connections, you can configure the proxy like this:

RebexTinyTlsProxy.exe -toTLS TLS12-TLS13 8080:httpbin.org:443 -forever

Above example allows you to access httpbin.org:443 secured with TLS 1.2/1.3 using plain HTTP protocol, when requesting localhost:8080.

by (160 points)
Thanks for answer. Below is excerpt from log. How to fix it?

Starting TLS proxy...
2023-01-04 12:48:32.390 INFO TlsProxy(0)[1] INFO: Listening at 0.0.0.0:8080 (forwarding to flacsfor.me:443) ...
Proxy started.
2023-01-04 12:49:06.562 DEBUG TlsProxy(0)[4] INFO: Connection from 127.0.0.1:3379 accepted on 127.0.0.1:8080.
2023-01-04 12:49:06.578 INFO Tunnel(1)[4] INFO: Starting tunnel (127.0.0.1:3379) --'unsecure'--> (8080) --'TLS12,TLS13'--> (flacsfor.me:443).
2023-01-04 12:49:06.921 INFO Tunnel(1)[4] OUT: Assembly: Rebex.Tls R6.0 for .NET 4.0-4.8
2023-01-04 12:49:06.921 INFO Tunnel(1)[4] OUT: Platform: Windows 5.1.2600 32-bit; CLR: 4.0.30319.1
2023-01-04 12:49:06.937 DEBUG Tunnel(1)[4] OUT: Culture: ru; windows-1251
2023-01-04 12:49:06.937 INFO Tunnel(1)[4] OUT: Resolving 'flacsfor.me'.
2023-01-04 12:49:06.953 INFO Tunnel(1)[4] OUT: Connecting to 185.165.241.225:443 using TlsClientSocket.
2023-01-04 12:49:06.984 DEBUG Tunnel(1)[4] OUT: Connection established (socket #3C2C062).
2023-01-04 12:49:07.000 INFO Tunnel(1)[4] OUT: Starting TLS negotiation.
2023-01-04 12:49:07.000 DEBUG Tunnel(1)[4] OUT: Using TLS 1.3 core.
2023-01-04 12:49:07.281 DEBUG TlsProxy(0)[5] INFO: Connection from 127.0.0.1:3381 accepted on 127.0.0.1:8080.
2023-01-04 12:49:07.281 INFO Tunnel(2)[5] INFO: Starting tunnel (127.0.0.1:3381) --'unsecure'--> (8080) --'TLS12,TLS13'--> (flacsfor.me:443).
2023-01-04 12:49:07.281 INFO Tunnel(2)[5] OUT: Assembly: Rebex.Tls R6.0 for .NET 4.0-4.8
2023-01-04 12:49:07.281 INFO Tunnel(2)[5] OUT: Platform: Windows 5.1.2600 32-bit; CLR: 4.0.30319.1
2023-01-04 12:49:07.281 DEBUG Tunnel(2)[5] OUT: Culture: ru; windows-1251
2023-01-04 12:49:07.281 INFO Tunnel(2)[5] OUT: Resolving 'flacsfor.me'.
2023-01-04 12:49:07.296 INFO Tunnel(2)[5] OUT: Connecting to 185.165.241.225:443 using TlsClientSocket.
2023-01-04 12:49:07.328 DEBUG Tunnel(2)[5] OUT: Connection established (socket #23C0C5D).
2023-01-04 12:49:07.328 INFO Tunnel(2)[5] OUT: Starting TLS negotiation.
2023-01-04 12:49:07.328 DEBUG Tunnel(2)[5] OUT: Using TLS 1.3 core.
2023-01-04 12:49:08.015 DEBUG Tunnel(1)[4] OUT: Generating key shares.
2023-01-04 12:49:08.015 DEBUG Tunnel(2)[5] OUT: Generating key shares.
2023-01-04 12:49:08.250 DEBUG Tunnel(2)[5] OUT: Key shares generated (secp256r1, secp384r1, secp521r1, x25519).
2023-01-04 12:49:08.250 DEBUG Tunnel(1)[4] OUT: Key shares generated (secp256r1, secp384r1, secp521r1, x25519).
2023-01-04 12:49:08.859 DEBUG Tunnel(1)[7] OUT: Using modern transport layer.
2023-01-04 12:49:08.906 DEBUG Tunnel(2)[6] OUT: Using modern transport layer.
2023-01-04 12:49:08.906 DEBUG Tunnel(2)[6] OUT: HandshakeMessage:ClientHello was sent.
2023-01-04 12:49:08.937 DEBUG Tunnel(1)[7] OUT: HandshakeMessage:ClientHello was sent.
2023-01-04 12:49:12.062 DEBUG Tunnel(1)[9] OUT: HandshakeMessage:ServerHello was received.
2023-01-04 12:49:12.062 DEBUG Tunnel(2)[7] OUT: HandshakeMessage:ServerHello was received.
2023-01-04 12:49:12.468 INFO Tunnel(2)[7] OUT: Negotiating TLS 1.3, ECDH with secp256r1, AES with 128-bit key in GCM mode, SHA-256.
2023-01-04 12:49:12.468 INFO Tunnel(1)[9] OUT: Negotiating TLS 1.3, ECDH with secp256r1, AES with 128-bit key in GCM mode, SHA-256.
2023-01-04 12:49:13.578 DEBUG Tunnel(2)[7] OUT: CipherSpec:ChangeCipherSpec was received.
2023-01-04 12:49:13.578 DEBUG Tunnel(1)[6] OUT: CipherSpec:ChangeCipherSpec was received.
2023-01-04 12:49:13.609 DEBUG Tunnel(2)[9] OUT: HandshakeMessage:EncryptedExtensions was received.
2023-01-04 12:49:13.609 DEBUG Tunnel(1)[6] OUT: HandshakeMessage:EncryptedExtensions was received.
2023-01-04 12:49:13.703 DEBUG Tunnel(2)[9] OUT: HandshakeMessage:Certificate was received.
2023-01-04 12:49:13.703 DEBUG Tunnel(1)[7] OUT: HandshakeMessage:Certificate was received.
2023-01-04 12:49:13.703 DEBUG Tunnel(1)[6] OUT: HandshakeMessage:CertificateVerify was received.
2023-01-04 12:49:13.703 DEBUG Tunnel(2)[7] OUT: HandshakeMessage:CertificateVerify was received.
2023-01-04 12:49:13.796 DEBUG Tunnel(1)[6] OUT: Verifying server certificate ('CN=flacsfor.me').
2023-01-04 12:49:13.796 DEBUG Tunnel(2)[7] OUT: Verifying server certificate ('CN=flacsfor.me').
2023-01-04 12:49:14.296 INFO Tunnel(1)[6] OUT: Certificate verification status: UnknownRev (0x00000040)
2023-01-04 12:49:14.296 DEBUG Tunnel(1)[6] OUT: Certificate verification result: RevocationCheckFailed.
2023-01-04 12:49:14.296 INFO Tunnel(2)[7] OUT: Certificate verification status: UnknownRev (0x00000040)
2023-01-04 12:49:14.296 DEBUG Tunnel(2)[7] OUT: Certificate verification result: RevocationCheckFailed.
2023-01-04 12:49:14.328 ERROR Tunnel(2)[7] OUT: An error occurred: ClientWaitForCertificateVerifyState/verifyCertificate - Validation of Server Certificate failed with: RevocationCheckFailed.
2023-01-04 12:49:14.328 ERROR Tunnel(1)[6] OUT: An error occurred: ClientWaitForCertificateVerifyState/verifyCertificate - Validation of Server Certificate failed with: RevocationCheckFailed.
2023-01-04 12:49:14.328 ERROR Tunnel(1)[6] OUT: An error occurred: fhbfp.mqifl: Unable to perform revocation check of the server certificate.
2023-01-04 12:49:14.328 ERROR Tunnel(2)[7] OUT: An error occurred: fhbfp.mqifl: Unable to perform revocation check of the server certificate.
2023-01-04 12:49:14.343 DEBUG Tunnel(2)[9] OUT: Alert:CertificateUnknown was sent.
2023-01-04 12:49:14.343 DEBUG Tunnel(1)[14] OUT: Alert:CertificateUnknown was sent.
2023-01-04 12:49:14.390 ERROR Tunnel(1)[4] OUT: fhbfp.bqxzg: Handshake failed due to: Unable to perform revocation check of the server certificate. ---> fhbfp.mqifl: Unable to perform revocation check of the server certificate.
   --- Конец трассировки внутреннего стека исключений ---
   в fhbfp.nlzar.dfpdh(Task p0)
   в fhbfp.woett.dnadg()
   в Rebex.Net.TlsSocket.vowfw()
2023-01-04 12:49:14.406 INFO Tunnel(1)[4] INFO: Closing tunnel (127.0.0.1:3379) --(8080)--> (185.165.241.225:443).
by (70.2k points)
The flacsfor.me uses a certificate with OCSP revocation check mechanism, which is not available at Win XP. This is the reason of the error "Unable to perform revocation check of the server certificate."
Win XP are able to validate certificates with CRL revocation check mechanism only.

We already have custom implementation of the OCSP, so the revocation check can be independent of the machine capabilities. Unfortunately, it is not part of the current RebexTinyTlsProxy v1.0.0.

I will update the application and post link to beta version here.
by (70.2k points)
The beta version with custom certificate validator is available at
https://www.rebex.net/getfile/6a2f919e118c43cdb1f569a6ffb84398/RebexTinyTlsProxy-Binaries-v1.1.0.zip

Please give it a try by specifying -validator option.
by (160 points)
At first glance it works, thanks.
...