0 votes
by (120 points)

I have a HTTP server that uses TLS 1.0/1.1 and it has to communicate with a different server that accepts TLS 1.2 communication. What is the right syntax to configure the tunnel between two and in case if any certificate has to be created where i should create in the source server or TLS proxy server ?

1 Answer

0 votes
by (69.2k points)

I suppose you want to tunnel communication from your TLS 1.0/1.1 server to TLS 1.2 server. You can run the TLS Proxy with settings like this:

tlsproxy tunnel add
  --in --in-protocol TLS --in-tls-versions TLS10,TLS11
  --out second.server.com:443 --out-protocol TLS --out-tls-versions TLS12
  --certificate-path c:\data\second-server.pfx

Since you want to translate from TLS, you need a certificate. The certificate must be issued for domain, which will be used by your HTTP server to establish TLS connections. Typically:

  • second.server.com - you need to route network traffic to the proxy (using DNS or hostfile) instead original second.server.com

You can also use:

  • localhost if the proxy will run on the same machine
  • my.proxy.com if the proxy will run on the different machine

However, please note that it can change behavior of the application, because HTTP Host header will be set to localhost (or my.proxy.com). We are working on possibility to set Host header for such cases, but it is not done yet.

Alternatively, if you don't need to use TLS on your HTTP server to request other server, you can use this settings:

tlsproxy tunnel add
  --out second-server:443 --out-protocol TLS --out-tls-versions TLS12

In this case no certificate is needed, since communication between your HTTP server and the TLS Proxy will not be encrypted.

by (120 points)
Thanks for your reply. I tried the command " tlsproxy tunnel add --in --out second-server:443 --out-protocol TLS --out-tls-versions TLS12" command but still no luck.

My setup is as below

Server A -- Application server -- This is using TLS 1.0

Server B -- rebex proxy server  -- I created TLS tunnel here.

Server C - Jira server. -- This is using TLS1.2

Error - ERROR WFE daemon 1 (24715709) on host "localhost" com.idiominc.ws.integration.tomtom.autoaction.jira.PgCreatedJiraUpdate: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLException: Received fatal alert: protocol_version
by (69.2k points)
I suppose that the provided error is from Server C (Jira).
Please create debug log at the proxy. What is logged there?

To create log, either modify the config.yaml (section logging):

    location: C:\data\tlsproxy\logs
    minLevel: Debug

Or run the proxy from command line with "run --debug" arguments:

  tlsproxy run --debug
by (69.2k points)
You can also send the log for analysis to support@rebex.net