2Answers
  • 6
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

haproxy tls1.0 to tls1.3 proxy

I have a very old application on prem that can only talk tls1.0 and I need to talk to a internet site on tls1.3. Can I use HAProxy to configure my local listener to listen on https tls 1.0 and forward these GET and POST requests to and internet facing API on TLS1.3?

If not HAProxy, what Can I use?

Thanks Tag

Using HAProxy, You may specify different ciphers for bind and servers at the global section, which could look like this:

global
    # modern bind configuration, Only TLS1.3 enabled.
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

or

global   
   # old configuration for the server side, only sslv3 and below are disabled, tls1.0,tls1.2 and tls1.3 are all enabled.
   ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tls-tickets
    # you may also add the below:
    ssl-server-verify                none

I hope this works for you. HAProxy is very much flexible to suite your needs. Reference: https://ssl-config.mozilla.org/#server=haproxy

  • 0
Reply Report

I had exactly same problem and on internet was no solution, but after 2 days I finally find solution with HAProxy (maybe it can help someone).

My case: Traffic -> myfakehost.com (listenning TLS1.0) -> myhost.com (listenning TLS1.2).

/etc/haproxy/haproxy.cfg:

frontend old_maps
  bind *:443 ssl crt /etc/haproxy/mycertificate.pem force-tlsv10
  mode tcp
  default_backend new_maps

backend new_maps
  mode http
  balance roundrobin
  option forwardfor
  http-request set-header Host myhost.com
  server mymaps myhost.com:443 ssl check verify none

As you can see I had few problems with certificates and I need use set-header option to change original URL to new URL.

Note: mycertificate.pem need to have in my case (private key, server certificate, intermediate certificate, root certificate) and myfakehost.com is alias for localhost in /etc/hosts

Debug tools:

 curl -v https://myfakehost.com
 openssl s_client -showcerts -connect myfakehost.com:443
  • 0
Reply Report

Trending Tags