Upgrade ssl version to remote destinations


#1

Hi,
I have an old debian box running 5.0, and has OpenSSL 0.9.8g 19 Oct 2007. It runs a billing application that cannot be upgraded. The payment processor has announced that they are cutting off support for < TLS1.2 and so that means this app is going to stop working. Seems to be a lot of this going around, doesn’t it?

I am trying to determine how or if mitmproxy can be used to provide a suitable solution so that this app can continue working. I have resolved a number of issues and have correct certificates and such on this ancient host and can , with proxy settings, ‘wget’ certain sites without issue. The age of the system is a limitation in that the ssl libs don’t appear to support SNI and this appears to be an issue that prevents me from working. I am running mitmproxy --ssl-insecure -v --listen-host x.x.x.x. (Altered wget command lines due to forum limiting ‘links’ to 2…)

  1. wget --secure-protocol=TLSv1 xhttpsx://non-wildcard-cert-site

This works. The site has a an SN matching it’s name and mitmproxy gives me the interception.

  1. wget --secure-protocol=TLSv1 xhttpsx://hosted-ssl-site-with-wildcard-cert

This does not work. Site certificate returned is that of the host and not the requested hostname, wget comlaims certificate common name doesn’t match requested hostname. Makes sense.

  1. wget --no-check-certificate --secure-protocol=TLSv1 xhttpsx://hosted-ssl-site-with-wildcard-cert

The works. Mitmproxy complains “Certificate verification error for None: hostname ‘no-hostname’ doesn’t match …” but since i’m running mitmproxy with ‘ssl-insecure’, it continues and works.

  1. wget --no-check-certificate --secure-protocol=TLSv1 xhttpsx://www.authorize.net

(real url). This does not work; I get ‘502 Bad Gateway’ on the client, and mitmproxy complains "
<< Cannot establish TLS with www.authorize.net:443 (sni: None): TlsException(“SSL handshake error: Error([(‘SSL routines’, ‘ssl3_read_bytes’, ‘sslv3 alert handshake failure’)],)”,)"

So, my ultimate target is the last one (a related subdomain actually) so I don’t know what I would need to do here to make this also work. Would appreciate any help I can solicit.

Thank you.

Mike


#2

you can try to launch an nginx as a reverse proxy and talk to your backend via http