How set up Rebex TLS Proxy to establish outbound connection ignoring server certificate problems

Question

Hello dear support.
I'm trying to set the "Rebex TLS Proxy" for my task and I think this is just fine solution.

What I need: I need to have ability to contact all versions of the Internet browsers (primarily IE) to all versions and generations of SSL/TLS servers that I deal with.

My idea is that I set incoming connection to "Rebex TLS Proxy" just using HTTP and outgoing connection to a needed a server via HTTPS.

In case of correct Certificate at server side everything is working fine. But I have several SSL/TLS serves are not always updated and may have incorrect certificates (outdated or something).

The last thing I have faced that there is a problem with cetrificates Authority chain. If I connect directly via the browser I get a message "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store." but it can be ignored and I can still work.
In this case "Rebex TLS Proxy" gives an error message "Certificate verification result: UnknownAuthority". In case I install this certificate to local Trusted Root Certificate Authorities store - it starts working with "Rebex TLS Proxy" also.

My question is: is it possible to set the "Rebex TLS Proxy" to allow outbound SSL/TLS connection ignoring all the errors in server certificate (wrong host name, outdated, no authority etc etc)? Just if there is a physical ability to transfer data - do the transfer.

Thank you a lot!

Comments

Just a note for your: I install this certificate to local Trusted Root Certificate Authorities store - it starts working with "Rebex TLS Proxy" also.

This is suggested solution. If you want to connect to a site which was authorized with an unknown Certification Authority, you should review the Authority and the site and if you find it trustworthy install it into Trusted Root Certificate Authorities store.

In some cases it would be better to add exception for just one particular server certificate without need to trust its authority. If this is what you would prefer, just let us know.

Answer 1

Hello,

Rebex TLS Proxy is prepared for such scenario, but we strongly discourage to use it in production environment. Bypassing certificate check lowers the security and in some cases removes purpose of the TLS at all.

To alter certificate validation use validationOptions setting in the tunnel definition in the config.yaml file. You can use these values:

1. IgnoreInvalidTime - ignores time validity errors - useful for expired certificates.
2. SkipRevocationCheck - does not perform certificate revocation check.
3. IgnoreCommonNameMismatch - ignores wrong host name errors.
4. AcceptAll - does not perform certificate check at all.

I will now describe, how settings 3 and 4 are dangerous:

IgnoreCommonNameMismatch
Let suppose an attacker has a valid domain with a valid and globally trusted certificate mydomain.com.
You want to connect to mybank.com, but the attacker redirects the traffic to their fraud site and provides certificate for mydomain.com. The certificate is perfectly valid, except it was issued for different domain, so a web browser (and TLS Proxy) would abort the connection with appropriate error.
If you use IgnoreCommonNameMismatch the critical host name error will be ignored and you will be provided with a fraud site without knowing.

AcceptAll
It is basically the same as example above, but in this case the attacker does not need a valid certificate at all. Any certificate would be enough to successfully redirect you to a fraud site without knowing.

---

Example of configuration:

tunnels: 
  - name: example
    in: { address: 0.0.0.0, port: 8080 }
    out: { address: httpbin.org, port: 443, protocol: TLS }
    validationOptions: AcceptAll # do not use this in production!

Comments

Thank you a lot! This is exactly what I need! Blessings!