Bi directional TLS proxy

Question

Dear Community,

I configured TLS 1.2 to 1.0 proxy using -in 0.0.9.0:443 with pfx certificate. That is working perfectly.

The server uses TLS 1.0, and that server needs to communicate with Internet server using TLS 1.2.

I think I need to add another tunnel from TLS 1.0 server to Internet server using TLS 1.2

I don’t have pfx certificate for that Internet server TLS 1.2 (It is Duo 2FA server)

If Rebex TLS proxy works for bi-directional that is appreciated.

Would you tell how to add tunnel from TLS 1.0 sever to Internet TLS 1.2 server without adding pfx certificate?

Regards, Mike

Answer 1

You can't create a TLS tunnel without a certificate, but you can work around the problem:

1. Create a self-signed certificate for the target server's (= the Internet server using TLS 1.2) domain names:

tlsproxy certgen -s "CN=example.org" -a "example.org,www.example.org" -b 2048 example

2. Configure the TLS 1.0 server to trust this self-signed certificate. That means either adding 'example.crt' to the Root CA store of the account under which the server runs (if it uses Windows certificate API) or to the server's list of trusted root CAs.

3. Create the TLS 1.0 to TLS 1.2 tunnel.

Please note that the certgen command creates a certificate signed with RSA/SHA-256 algorithm. If the TLS 1.0 server is very old and does not support RSA/SHA-256 yet, you would have to create a certificate signed with RSA/SHA-1 instead. Just add the "-h SHA-1" parameter to the certgen command (available from v1.7.0).