Possibility to wrap TLS 1.0/1.1 website to newer TLS?

1. The problem I’m having:

I have a site which I would have to access (HP iLO web interface for my server) but I’m facing a problem since the web page is served with HTTPS using TLS1.0/1.1.

The connection is forced to be in HTTPS and no modern TLS version is available for the server (HP does not provide support anymore for this system). I am trying to connect to this service with software that does not support older TLS versions.

My first idea would be, is it possible to replace/wrap this old TLS with modern TLS version using Caddy as a reverse proxy in front of the web interface?

Basically like this:

HP iLO < – Old TLS – >Caddy < – New TLS – > Web browser

My own attempt is below in the Caddy config.

2. Error messages and/or full log output:

Error in the web browser when trying to access the iLO service (either directly or via the current Caddy configuration at https://ilo-galaxy.home.arpa:

SSL_ERROR_UNSUPPORTED_VERSION

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

This website might not support the TLS 1.2 protocol, which is the minimum version supported by Firefox.

By enabling TLS 1.0 support in the Firefox config, the site is OK and accessible.

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

a. System environment:

Ubuntu server 22.04.4 LTS, Caddy running as docker image.

b. Command:

No specific command, running in docker-compose.

c. Service/unit/compose file:

version: "3.8"

########################### SECRETS

########################### NETWORKS
networks:
  t2_proxy:
    name: t2_proxy
    driver: bridge

########################### VOLUMES

########################### SERVICES
services:
  # Caddy for internal routing
  caddy:
    image: caddy:2.7-alpine
    container_name: caddy
    restart: unless-stopped
    healthcheck:
      test: caddy validate --config /etc/caddy/Caddyfile || exit 1
      interval: "60s"
      retries: 5
      start_period: "30s"
      timeout: "10s"
    security_opt:
      - no-new-privileges:true
    networks:
      - t2_proxy
    ports:
      - "82:80"
      - "444:443"
    volumes:
      - $APPDATADIR/caddy/Caddyfile:/etc/caddy/Caddyfile
      - $APPDATADIR/caddy/data:/data
      - $APPDATADIR/caddy/config:/config
      - $DOCKERDIR/logs/web/caddy:/logs
    environment:
      - PUID=$PUID
      - PGID=$PGID
      - TZ=$TZ

d. My complete Caddy config:

{
        log {
                output file /logs/caddy.log
        }
        servers {
                trusted_proxies static 192.168.200.0/24
        }
}

(snippet) {
        tls internal
}

ilo-galaxy.home.arpa {
        reverse_proxy 192.168.200.63:443 {
                transport http {
                        tls
                        tls_insecure_skip_verify
                }
        }
        import snippet
}

5. Links to relevant resources:

Some discussion in the HP forums about the non-upgradebility of TLS:
https://community.hpe.com/t5/server-management-remote-server/ilo2-tls-upgrade/td-p/6870639

I’m pretty sure Caddy’s HTTP client doesn’t support old TLS versions either. We’re not in the business of supporting insecure protocols.

Are you able to proxy over HTTP instead of HTTPS? Does that upstream server have an HTTP endpoint? If so then you could do that instead.

3 Likes

Sadly there is only a HTTP endpoint serving a redirect request to HTTPS. So seems like I have to find something else to wrap that connection in new TLS or to serve only HTTP for Caddy.

After some searching it seems maybe socat could do the trick: tls - Need to access old forgotten router that only supports SSLv3 - Information Security Stack Exchange

I’ll reply here if I get that working for possible future searches on this matter.

1 Like