Tunnelling legacy TLS1.0 clients to another host, terminating modern clients

Question

Tunnelling legacy TLS1.0 clients to another host, terminating modern clients

agittins opened this issue 2 years ago · 3 comments

I have caddy running in a docker container and reverse-proxying a variety of services and it's been working great for months.

I now need to host a client's legacy service, which has clients with old libs and hard-coded certs (they're not browsers). The clients only support TLS1.0(!) and I only have a single IPv4 address on which to serve both the legacy clients and my modern services.

I am not able to have the clients upgraded at this time, so my job is to just make it work until the business side of things can resolve the older clients out in the field. I know that caddy doesn't support tls1.0 so I figure a non-terminating pass-through sort of solution might be the best answer (out of a collection of bad answers).

For now I've dnat'd all port 443 traffic to the legacy server which works but of course that means my other services are now down.

Is caddy-l4 a possible solution to my problem? In theory, the legacy clients could be identified at the TLS Client Hello packet, as they specify TLS1.0 and it would be suitable to proxy/tunnel the session to my legacy upstream and let it take care of termination etc. Any other clients (who are not using an ancient, weak implementation) would go through the normal SNI process, be locally TLS terminated and reverse-proxied to their destinations as usual.

Despite being an awful situation, am I on the right track? Is there an easier / better way to support this? My firewall is using nftables if that's relevant. I am at a bit of a loss as to how I'd configure caddy-l4 to do this so I'm not sure if it's outside of what caddy-l4 can do or I'm just being daft :-)

Any ideas (within the operational constraints I have) welcome!

(eta: screenshot of client hello packet from wireshark)

Answer 1 · 2023-05-08T10:22:13.000Z

(I suspect my issue is perhaps somewhat similar to #70 but perhaps further complicated by having to support a tls version that caddy doesn't implement).

Answer 2 · 2023-05-08T14:34:17.000Z

Although Caddy's TLS app doesn't support TLS < 1.2 anymore, if you're not terminating TLS then that app won't be used, and you should be able to match TLS 1.0 connections. Though I haven't tested it.

If it works for you -- or doesn't, and you want it to -- let's get your business set up on a sponsorship so we can ensure you get the support and development you need. 👍

Answer 3 · 2023-11-04T17:44:05.000Z

This is fixed for me in #155

Discussion etc at https://caddy.community/t/how-do-i-match-tls-version-in-layer4/21583/9