Web Application Firewall & Reverse Proxy

 View Only
  • 1.  Independent SSL version for client-proxy and proxy-OCS

    Posted Apr 26, 2018 09:04 AM

    Hi,

    is it possible to have different SSL versions for the client-proxy connection and proxy-OCS connection?

    For example, if we had a client application which only supports TLS1.0 and goes out through the proxy, in a forward proxy scenario, could we tell the proxy to then secure that connection on the internet side, by upgrading the proxy-OCS connection to a TLS1.2?

    As we are speaking about 2 different connections, this should be possible.

    As far as I can tell, the only thing the proxy can do at the moment is forward the client's version to the OCS.

    The SGOS Administrator manual states:

    "Note:
    The SSL proxy, also known as the SSL forward proxy, uses parameters taken from the SSL connection made by the client when originating SSL connections to the server. As a result, settings in the default SSL client profile are not applied to these connections."

    I couldn't find any document describing an over-write of the client chosen SSL version.

    Is there a way to achieve this, and, if not, are there any future plans to add that feature?

    Thank you.



  • 2.  RE: Independent SSL version for client-proxy and proxy-OCS

    Posted Apr 26, 2018 11:05 AM

    Hi,

     

                  At present the SSL Connection need to same end-to-end in FWD proxy. So if the client is communicating in TLSv1.0, all parties involved will follow that. There is a change in SSL Arch in 6.7.4.x related the way the SSL connections are established. Even with this change, there is no change mentioned in having different SSL versions on either side. 



  • 3.  RE: Independent SSL version for client-proxy and proxy-OCS

    Posted May 09, 2018 03:41 AM

    Hi Aravind,

    thank you for your reply.

    Your solutions on other posts were quite helpful, you're doing a great job.

    Are you aware of any plans to implement an overwriting option for the SSL version?

    Kind regards,

    Mircea



  • 4.  RE: Independent SSL version for client-proxy and proxy-OCS
    Best Answer

    Posted May 09, 2018 04:41 AM

    Hi Mircea,

     

               Happy to hear that my answers are helping you :) . I am not able to see that there is a plan to add the feature of having different type of sessions on either side of the proxy. I would recommend to pass this as a Feature Request to our sales engineer. If there is one such request already, SE can endorse the same for product management to evaluate.