Welcome! Log In Create A New Profile

Advanced

Considering HAProxy to Bump TLS 1.1 Traffic to TLS 1.2

Posted by Ryan Collier 
Ryan Collier
Considering HAProxy to Bump TLS 1.1 Traffic to TLS 1.2
March 16, 2017 05:10PM
Hello,

We have a legacy application that can only use TLS 1.1 due to the version of Java it supports (1.6). We connect to a third party for credit card authorizations, and they are going to be upgrading their web services endpoint to only accept TLS 1.2 traffic sometime over the Summer. We need to setup a proxy to intercept the TLS 1.1 traffic and bump it up to TLS 1.2 so that we can remain compliant. Can HAProxy do what I just described?

Thank you,

Ryan Collier
Lamps Plus
Unix/Linux Systems Administrator
[email protected]<mailto:[email protected]>
Office | 1-818-428-4392
Hello Ryan,


Am 16.03.2017 um 17:02 schrieb Ryan Collier:
> We have a legacy application that can only use TLS 1.1 due to the
> version of Java it supports (1.6). We connect to a third party for
> credit card authorizations, and they are going to be upgrading their
> web services endpoint to only accept TLS 1.2 traffic sometime over the
> Summer. We need to setup a proxy to intercept the TLS 1.1 traffic and
> bump it up to TLS 1.2 so that we can remain compliant. Can HAProxy do
> what I just described?

Haproxy can definitely do that. You would just configure the destination
server as a backend with TLS termination enabled and configure your
frontend as you need (with TLS or even plaintext).

Don't mess around with parameters like force-tlsv... etc, the correct
TLS version will be negotiated.



cheers,
lukas
Hello, Ryan!

I also propose a different approach... just in case.

I had the same problem with some further constraints.
The Java client runs on Windows and an haproxy instance running on
another server was very difficult to setup complying to all the security
policies.

In this case it was much easier to setup a stunnel instance on the
Windows server instead of fighting with the security auditor ;-)

..marcoc
Sorry, only registered users may post in this forum.

Click here to login