Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Reverse Proxy to a internal website hosted on Windows 2008 |
|
| Author |
|
impeeza
Joined: 10 Apr 2024
Posts: 3
Location: Colombia
|
 Posted: Wed 10 Apr '24 20:18 Post subject: Reverse Proxy to a internal website hosted on Windows 2008 |
 |
|
1. Problem:
Until now I am running a Reverse Proxy service on a Windows 2022 server, running Apache Haus httpd-2.4.55-o111s-x64-vs17.zip (Built using C sources from the ASF and OpenSSL on Visual Studio 2022 (VS17).)
With the next modifications to default Config Files:
1.1. \conf\httpd.conf
First enabled the next modules removing comment to:
| Code: |
LoadModule cache_module modules/mod_cache.so
LoadModule cache_disk_module modules/mod_cache_disk.so
LoadModule filter_module modules/mod_filter.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule xml2enc_module modules/mod_xml2enc.so
|
And added this at end of file:
| Code: |
#initialize default website (for handle no published URLs)
<VirtualHost *:80>
ServerName VCSMCELPUB01.grupomun.com
</VirtualHost>
#Log Rotation
LoadModule log_rotate_module modules/mod_log_rotate.so
RotateLogs On
RotateInterval 172800
#Include folder with reversed proxy sites.
Include conf/sites/*.conf
|
1.2. \conf\extra\httpd-ahssl.conf
Setup of public certificates and enable SSL Proxy:
| Code: | SSLCertificateFile "${SRVROOT}/conf/ssl/PublicCert.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/PublicCert.key"
# Enable HTTPS Proxy
SSLProxyEngine on
|
1.3. \conf\httpd-ssl.conf
| Code: | SSLCertificateFile "${SRVROOT}/conf/ssl/PublicCert.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/PublicCert.key"
SSLCACertificateFile "${SRVROOT}/conf/ssl/PublicCert.cer"
|
1.4. The site is published via reverse proxy with the file:
\conf\sites\external.url.site.conf
| Code: |
<VirtualHost *:80>
ServerName external.url.site
CustomLog logs/external.url.site.access_log combined
ErrorLog logs/external.url.site.error_log
#IF EXTERNAL USER MAKE HTTP CONNECTION, REDIRECTION TO HTTPS URL TO AVOID EXTERNAL HTTP CONNECTIONS.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}$1
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
ProxyRequests off
ServerName external.url.site:443
SSLCertificateFile "${SRVROOT}/conf/ssl/StarGM.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/StarGM.key"
CustomLog logs/external.url.site_HTTPS.access_log combined
ErrorLog logs/external.url.site_HTTPS.error_log
Timeout 300
#Redirección del sitio raíz.
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/$
Rewriterule ^(.*)$ https://%{SERVER_NAME}/wfrmLogin.aspx [L,R=301]
#Proxy Reverso
ProxyPreserveHost On
ProxyPass / https://INTERNAL.SERVER.site:443/ retry=0
ProxyPassReverse / https://INTERNAL.SERVER.site:443/
</virtualhost>
|
2. Site access
The site is on a Windows 2008 server using IIS, can be accessed internally without proxy and using the external URL via proxy:
[img]https://ibb.co/PNThNz1[/img]
[hr]
Upgrading to latest Apache Lounge “httpd-2.4.59-240404-win64-VS17.zip” The Access to site using the external URL you get the next error:
[img]https://ibb.co/gRG5XR7[/img]
Proxy Error
The proxy server could not handle the request
Reason: Error during SSL Handshake with remote server
On the Apache site log using debug you get:
| Code: |
[Wed Apr 10 12:18:16.845591 2024] [ssl:info] [pid 1004:tid 364] AH01914: Configuring server external.url.site:443 for SSL protocol
[Wed Apr 10 12:18:16.845591 2024] [ssl:debug] [pid 1004:tid 364] ssl_engine_init.c(526): AH01893: Configuring TLS extension handling
[Wed Apr 10 12:18:16.845591 2024] [ssl:debug] [pid 1004:tid 364] ssl_util_ssl.c(451): AH02412: [external.url.site:443] Cert matches for name 'external.url.site' [subject: CN=*.grupomun.com,O=Centro de Servicios Mundial S A S,L=Medellin,ST=Antioquia,C=CO / issuer: CN=GeoTrust TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 014AC21754392E769F5FB21145304435 / notbefore: Apr 26 00:00:00 2023 GMT / notafter: Apr 26 23:59:59 2024 GMT]
[Wed Apr 10 12:18:16.845591 2024] [ssl:info] [pid 1004:tid 364] AH02568: Certificate and private key external.url.site:443:0 configured from C:/Apache24/conf/ssl/starGM.crt and C:/Apache24/conf/ssl/StarGM.key
[Wed Apr 10 12:18:19.011930 2024] [ssl:info] [pid 1004:tid 364] AH01914: Configuring server external.url.site:443 for SSL protocol
[Wed Apr 10 12:18:19.011930 2024] [ssl:debug] [pid 1004:tid 364] ssl_engine_init.c(526): AH01893: Configuring TLS extension handling
[Wed Apr 10 12:18:19.011930 2024] [ssl:debug] [pid 1004:tid 364] ssl_util_ssl.c(451): AH02412: [external.url.site:443] Cert matches for name 'external.url.site' [subject: CN=*.grupomun.com,O=Centro de Servicios Mundial S A S,L=Medellin,ST=Antioquia,C=CO / issuer: CN=GeoTrust TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 014AC21754392E769F5FB21145304435 / notbefore: Apr 26 00:00:00 2023 GMT / notafter: Apr 26 23:59:59 2024 GMT]
[Wed Apr 10 12:18:19.011930 2024] [ssl:info] [pid 1004:tid 364] AH02568: Certificate and private key external.url.site:443:0 configured from C:/Apache24/conf/ssl/starGM.crt and C:/Apache24/conf/ssl/StarGM.key
[Wed Apr 10 12:18:21.668445 2024] [ssl:info] [pid 6112:tid 392] AH01914: Configuring server external.url.site:443 for SSL protocol
[Wed Apr 10 12:18:21.668445 2024] [ssl:debug] [pid 6112:tid 392] ssl_engine_init.c(526): AH01893: Configuring TLS extension handling
[Wed Apr 10 12:18:21.668445 2024] [ssl:debug] [pid 6112:tid 392] ssl_util_ssl.c(451): AH02412: [external.url.site:443] Cert matches for name 'external.url.site' [subject: CN=*.grupomun.com,O=Centro de Servicios Mundial S A S,L=Medellin,ST=Antioquia,C=CO / issuer: CN=GeoTrust TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 014AC21754392E769F5FB21145304435 / notbefore: Apr 26 00:00:00 2023 GMT / notafter: Apr 26 23:59:59 2024 GMT]
[Wed Apr 10 12:18:21.668445 2024] [ssl:info] [pid 6112:tid 392] AH02568: Certificate and private key external.url.site:443:0 configured from C:/Apache24/conf/ssl/starGM.crt and C:/Apache24/conf/ssl/StarGM.key
[Wed Apr 10 12:18:23.746585 2024] [ssl:info] [pid 6112:tid 392] AH01914: Configuring server external.url.site:443 for SSL protocol
[Wed Apr 10 12:18:23.746585 2024] [ssl:debug] [pid 6112:tid 392] ssl_engine_init.c(526): AH01893: Configuring TLS extension handling
[Wed Apr 10 12:18:23.746585 2024] [ssl:debug] [pid 6112:tid 392] ssl_util_ssl.c(451): AH02412: [external.url.site:443] Cert matches for name 'external.url.site' [subject: CN=*.grupomun.com,O=Centro de Servicios Mundial S A S,L=Medellin,ST=Antioquia,C=CO / issuer: CN=GeoTrust TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 014AC21754392E769F5FB21145304435 / notbefore: Apr 26 00:00:00 2023 GMT / notafter: Apr 26 23:59:59 2024 GMT]
[Wed Apr 10 12:18:23.746585 2024] [ssl:info] [pid 6112:tid 392] AH02568: Certificate and private key external.url.site:443:0 configured from C:/Apache24/conf/ssl/starGM.crt and C:/Apache24/conf/ssl/StarGM.key
[Wed Apr 10 12:18:25.183730 2024] [proxy:debug] [pid 6112:tid 392] proxy_util.c(2123): AH00925: initializing worker https://INTERNAL.SERVER.site/ shared
[Wed Apr 10 12:18:25.183730 2024] [proxy:debug] [pid 6112:tid 392] proxy_util.c(2183): AH00927: initializing worker https://INTERNAL.SERVER.site/ local
[Wed Apr 10 12:18:25.183730 2024] [proxy:debug] [pid 6112:tid 392] proxy_util.c(2214): AH00930: initialized pool in child 6112 for (INTERNAL.SERVER.site:443) min=0 max=159 smax=159
[Wed Apr 10 12:18:25.214995 2024] [ssl:debug] [pid 6112:tid 2236] ssl_engine_kernel.c(415): [remote 10.60.3.28:49252] AH02034: Subsequent (No.2) HTTPS request received for child 16131 (server external.url.site:443)
[Wed Apr 10 12:18:25.214995 2024] [authz_core:debug] [pid 6112:tid 2236] mod_authz_core.c(843): [remote 10.60.3.28:49252] AH01628: authorization result: granted (no directives)
[Wed Apr 10 12:18:25.214995 2024] [proxy:debug] [pid 6112:tid 2236] mod_proxy.c(1506): [remote 10.60.3.28:49252] AH01143: Running scheme https handler (attempt 0)
[Wed Apr 10 12:18:25.214995 2024] [proxy:debug] [pid 6112:tid 2236] proxy_util.c(2538): AH00942: https: has acquired connection for (INTERNAL.SERVER.site:443)
[Wed Apr 10 12:18:25.214995 2024] [proxy:debug] [pid 6112:tid 2236] proxy_util.c(2596): [remote 10.60.3.28:49252] AH00944: connecting https://INTERNAL.SERVER.site/wfrmLogin.aspx to INTERNAL.SERVER.site:443
[Wed Apr 10 12:18:25.214995 2024] [proxy:debug] [pid 6112:tid 2236] proxy_util.c(2819): [remote 10.60.3.28:49252] AH00947: connected /wfrmLogin.aspx to INTERNAL.SERVER.site:443
[Wed Apr 10 12:18:25.214995 2024] [proxy:debug] [pid 6112:tid 2236] proxy_util.c(3291): AH02824: https: connection established with 10.60.1.239:443 (INTERNAL.SERVER.site:443)
[Wed Apr 10 12:18:25.214995 2024] [proxy:debug] [pid 6112:tid 2236] proxy_util.c(3480): AH00962: https: connection complete to 10.60.1.239:443 (INTERNAL.SERVER.site)
[Wed Apr 10 12:18:25.214995 2024] [ssl:info] [pid 6112:tid 2236] [remote 10.60.1.239:443] AH01964: Connection to child 0 established (server external.url.site:443)
[Wed Apr 10 12:18:25.230621 2024] [ssl:debug] [pid 6112:tid 2236] ssl_engine_kernel.c(1764): [remote 10.60.1.239:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=GeoTrust TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US / issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 0D07782A133FC6F9A57296E131FFD179 / notbefore: Nov 2 12:23:37 2017 GMT / notafter: Nov 2 12:23:37 2027 GMT]
[Wed Apr 10 12:18:25.230621 2024] [ssl:debug] [pid 6112:tid 2236] ssl_engine_kernel.c(1764): [remote 10.60.1.239:443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=*.grupomun.com,O=Centro de Servicios Mundial S A S,L=Medellin,ST=Antioquia,C=CO / issuer: CN=GeoTrust TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 014AC21754392E769F5FB21145304435 / notbefore: Apr 26 00:00:00 2023 GMT / notafter: Apr 26 23:59:59 2024 GMT]
[Wed Apr 10 12:18:25.230621 2024] [socache_shmcb:debug] [pid 6112:tid 2236] mod_socache_shmcb.c(570): AH00837: socache_shmcb_remove (0xfb -> subcache 27)
[Wed Apr 10 12:18:25.230621 2024] [socache_shmcb:debug] [pid 6112:tid 2236] mod_socache_shmcb.c(585): AH00839: leaving socache_shmcb_remove successfully
[Wed Apr 10 12:18:25.230621 2024] [ssl:info] [pid 6112:tid 2236] [remote 10.60.1.239:443] AH02003: SSL Proxy connect failed
[Wed Apr 10 12:18:25.230621 2024] [ssl:info] [pid 6112:tid 2236] SSL Library Error: error:0A0C0103:SSL routines::internal error
[Wed Apr 10 12:18:25.230621 2024] [ssl:info] [pid 6112:tid 2236] [remote 10.60.1.239:443] AH01998: Connection closed to child 0 with abortive shutdown (server external.url.site:443)
[Wed Apr 10 12:18:25.230621 2024] [ssl:info] [pid 6112:tid 2236] [remote 10.60.1.239:443] AH01997: SSL handshake failed: sending 502
[Wed Apr 10 12:18:25.230621 2024] [proxy:error] [pid 6112:tid 2236] (20014)Internal error (specific information not available): [remote 10.60.3.28:49252] AH01084: pass request body failed to 10.60.1.239:443 (INTERNAL.SERVER.site)
[Wed Apr 10 12:18:25.230621 2024] [proxy:error] [pid 6112:tid 2236] [remote 10.60.3.28:49252] AH00898: Error during SSL Handshake with remote server returned by /wfrmLogin.aspx
[Wed Apr 10 12:18:25.230621 2024] [proxy_http:error] [pid 6112:tid 2236] [remote 10.60.3.28:49252] AH01097: pass request body failed to 10.60.1.239:443 (INTERNAL.SERVER.site) from 10.60.3.28 ()
[Wed Apr 10 12:18:25.230621 2024] [proxy:debug] [pid 6112:tid 2236] proxy_util.c(2554): AH00943: https: has released connection for (INTERNAL.SERVER.site:443)
[Wed Apr 10 12:18:25.230621 2024] [:debug] [pid 6112:tid 3420] mod_log_rotate.c(209): New: 2590720000, old: 2590720000
[Wed Apr 10 12:18:30.235858 2024] [ssl:debug] [pid 6112:tid 3420] ssl_engine_io.c(1147): [client 10.60.3.28:49252] AH02001: Connection closed to child 63 with standard shutdown (server external.url.site:443)
|
3. Internal site SSL Analysis
Making an análisis of the internal site using TESTSSL.SH you get:
| Code: |
$ ./testssl.sh https://INTERNAL.SERVER.site
###########################################################
testssl.sh 3.2rc3 from https://testssl.sh/dev/
(5581499 2024-04-02 11:15:12)
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)" [~94 ciphers]
on VCSMCELPUB01:/usr/bin/openssl
(built: "Jan 30 20:20:57 2024", platform: "Cygwin-x86_64")
Start 2024-04-09 16:05:47 -->> 10.10.10.10:443 (INTERNAL.SERVER.site) <<--
rDNS (10.60.1.239): INTERNAL.SERVER.site
Service detected: HTTP
Testing protocols via sockets except NPN+ALPN
SSLv2 offered (NOT ok), also VULNERABLE to DROWN attack -- 2 ciphers
SSLv3 offered (NOT ok)
TLS 1 offered (deprecated)
TLS 1.1 not offered
TLS 1.2 not offered and downgraded to a weaker protocol
TLS 1.3 not offered and downgraded to a weaker protocol
NPN/SPDY not offered
ALPN/HTTP2 not offered
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) offered (NOT ok)
Triple DES Ciphers / IDEA offered
Obsoleted CBC ciphers (AES, ARIA etc.) offered
Strong encryption (AEAD ciphers) with no FS not offered
Forward Secrecy strong encryption (AEAD ciphers) not offered
Testing server's cipher preferences
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2 (listed by strength)
x010080 RC4-MD5 RSA RC4 128 SSL_CK_RC4_128_WITH_MD5
x0700c0 DES-CBC3-MD5 RSA 3DES 168 SSL_CK_DES_192_EDE3_CBC_WITH_MD5
SSLv3 (server order)
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA
x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5
TLSv1 (server order)
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
x39 DHE-RSA-AES256-SHA DH 1024 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
x33 DHE-RSA-AES128-SHA DH 1024 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA
x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5
TLSv1.1
-
TLSv1.2
-
TLSv1.3
-
Has server cipher order? yes (OK)
Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
FS is offered (OK) ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA
Elliptic curves offered: prime256v1 secp384r1
DH group offered: RFC2409/Oakley Group 2 (1024 bits)
Testing server defaults (Server Hello)
TLS extensions (standard) "status request/#5" "renegotiation info/#65281" "extended master secret/#23"
Session Ticket RFC 5077 hint no -- no lifetime advertised
SSL Session ID support yes
Session Resumption Tickets no, ID: yes
TLS clock skew -12 sec from localtime
Client Authentication none
Signature Algorithm SHA256 with RSA
Server key size RSA 2048 bits (exponent is 65537)
Server key usage Digital Signature, Key Encipherment
Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
Serial 014AC21754392E769F5FB21145304435 (OK: length 16)
Fingerprints SHA1 4567B04CB8240E1E6F688A14C021907176E186CA
SHA256 FA6F3A4B9F5462505AAE2AC8BB623E80CE491E0F1D85B42AE1091207919F40BE
Common Name (CN) *.grupomun.com
subjectAltName (SAN) *.grupomun.com grupomun.com
Trust (hostname) Ok via SAN wildcard and CN wildcard (same w/o SNI)
wildcard certificate could be problematic, see other hosts at
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=FA6F3A4B9F5462505AAE2AC8BB623E80CE491E0F1D85B42AE1091207919F40BE
Chain of trust Ok
EV cert (experimental) no
Certificate Validity (UTC) expires < 30 days (17) (2023-04-26 00:00 --> 2024-04-26 23:59)
ETS/"eTLS", visibility info not present
Certificate Revocation List http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl
OCSP URI http://status.geotrust.com
OCSP stapling offered, not revoked
OCSP must staple extension --
DNS CAA RR (experimental) unknown query type: type257
unknown query type: type257
unknown query type: type257
*** FCSMMDEADS02.grupomun.com can't find com.: Server failed
not offered
Certificate Transparency yes (certificate extension)
Certificates provided 2
Issuer GeoTrust TLS RSA CA G1 (DigiCert Inc from US)
Intermediate cert validity #1: ok > 40 days (2027-11-02 12:23). GeoTrust TLS RSA CA G1 <-- DigiCert Global Root G2
Intermediate Bad OCSP (exp.) Ok
Testing HTTP header response @ "/"
HTTP Status Code 302 Found, redirecting to "/wfrmLogin.aspx"
HTTP clock skew -1 (± 1.5) sec from localtime
Strict Transport Security not offered
Public Key Pinning --
Server banner Microsoft-IIS/7.5
Application banner X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Cookie(s) 1 issued: NOT secure, 1/1 HttpOnly -- maybe better try target URL of 30x
Security headers Cache-Control: private
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension
ROBOT not vulnerable (OK)
Secure Renegotiation (RFC 5746) supported (OK)
Secure Client-Initiated Renegotiation likely not vulnerable (OK), timed out
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention NOT supported and vulnerable to POODLE SSL
SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers for SSLv2 and above
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) VULNERABLE (NOT ok), SSLv2 offered with 2 ciphers
Make sure you don't use this certificate elsewhere, see:
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=FA6F3A4B9F5462505AAE2AC8BB623E80CE491E0F1D85B42AE1091207919F40BE
LOGJAM (CVE-2015-4000), experimental VULNERABLE (NOT ok): common prime: RFC2409/Oakley Group 2 (1024 bits),
but no DH EXPORT ciphers
BEAST (CVE-2011-3389) SSL3: DES-CBC3-SHA
TLS1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA DES-CBC3-SHA
VULNERABLE -- and no higher protocols as mitigation supported
LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
Winshock (CVE-2014-6321), experimental not vulnerable (OK) - doesn't seem to be IIS 8.x
RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): RC4-SHA RC4-MD5 RC4-MD5
Running client simulations (HTTP) via sockets
Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy
------------------------------------------------------------------------------------------------
Android 6.0 TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Android 7.0 (native) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Android 8.1 (native) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Android 9.0 (native) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Android 10.0 (native) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Android 11 (native) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Android 12 (native) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Chrome 79 (Win 10) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Chrome 101 (Win 10) No connection
Firefox 66 (Win 8.1/10) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Firefox 100 (Win 10) No connection
IE 6 XP SSLv3 DES-CBC3-SHA No FS
IE 8 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
IE 8 XP TLSv1.0 DES-CBC3-SHA No FS
IE 11 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
IE 11 Win 8.1 TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
IE 11 Win Phone 8.1 TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
IE 11 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Edge 15 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Edge 101 Win 10 21H2 No connection
Safari 12.1 (iOS 12.2) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Safari 13.0 (macOS 10.14.6) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Safari 15.4 (macOS 12.3.1) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256)
Java 8u161 TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Java 11.0.2 (OpenJDK) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Java 17.0.3 (OpenJDK) No connection
go 1.17.8 TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
LibreSSL 2.8.3 (Apple) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
OpenSSL 1.0.2e TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
OpenSSL 1.1.0l (Debian) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
OpenSSL 1.1.1d (Debian) No connection
OpenSSL 3.0.3 (git) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Apple Mail (16.0) TLSv1.0 ECDHE-RSA-AES256-SHA 256 bit ECDH (P-256)
Thunderbird (91.9) No connection
Rating (experimental)
Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
Protocol Support (weighted) 0 (0)
Key Exchange (weighted) 0 (0)
Cipher Strength (weighted) 0 (0)
Final Score 0
Overall Grade F
Grade cap reasons Grade capped to F. Vulnerable to DROWN
Grade capped to F. SSLv2 is offered
Grade capped to C. Vulnerable to POODLE
Grade capped to C. TLS 1.2 is not offered
Grade capped to B. Vulnerable to BEAST
Grade capped to B. TLS 1.0 offered
Grade capped to B. SSLv3 is offered
Grade capped to B. RC4 ciphers offered
Grade capped to A. HSTS is not offered
Grade capped to A. Does not support TLS_FALLBACK_SCSV
Done 2024-04-09 16:42:52 [2680s] -->> 10.60.1.239:443 (INTERNAL.SERVER.site) <<--
|
What should I do to be able to access to the site using the reverse proxy? |
|
| Back to top |
|
impeeza
Joined: 10 Apr 2024
Posts: 3
Location: Colombia
|
| Posted: Thu 11 Apr '24 7:30 Post subject: |
|
|
I just create a parallel setup to make tests, and discover what using the same version of Apache Haus but the OpenSSL 3 version (Apache 2.4.x OpenSSL 3.0.x VS17) I have the same problem, so is something about OpenSSL.
On OpenSSL 1 the Windows 2008 SSl site can be proxied without problem, but OpenSSL3 have the «Error during SSL Handshake with remote server».
Any Toughs?
There is a Apache Lounge version using OpenSSl 1?
Thanks. |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 315
Location: UK
|
| Posted: Fri 12 Apr '24 20:36 Post subject: |
|
|
Believe your problem lies in the fact your internal server doesn't support anything later than TLSv1, as shown by your Internal Site SSL Analysis.
SSLv2 offered (NOT ok), also VULNERABLE to DROWN attack -- 2 ciphers
SSLv3 offered (NOT ok)
TLS 1 offered (deprecated)
TLS 1.1 not offered
TLS 1.2 not offered and downgraded to a weaker protocol
TLS 1.3 not offered and downgraded to a weaker protocol
NPN/SPDY not offered
ALPN/HTTP2 not offered OpenSSL v3 defaults to Security Level 1, and these days TLS 1 is classed as Security Level 0.
There are a few posts on this site that pick up on this issue, notably https://www.apachelounge.com/viewtopic.php?t=9083 and workaround https://www.apachelounge.com/viewtopic.php?p=41572.
However, if you set your openssl.conf file to allow security level 0, you'll need to need to tighten up and manage the SSL protocol and cipher options on your site front end, as much as specifying what SSL protocols and ciphers to use with the backend connection (SSLProxyProtocol and SSLProxyCipherSuite).
As far as your front end is concerned, there are a number of posts from moderator James Blond where he describes recommended SSL configuration options, e.g. https://www.apachelounge.com/viewtopic.php?t=9180
Realistically, in the limit, you need to get your internal site upgraded to support more recent SSL protocol standards. |
|
| Back to top |
|
impeeza
Joined: 10 Apr 2024
Posts: 3
Location: Colombia
|
| Posted: Fri 12 Apr '24 22:11 Post subject: |
|
|
Thanks a lot, you are completely right, Windows Server 2008 only support TLS 1.0 and NEVER will support any new.
The migration project for that server will take 1 or 2 years more, the quirks of legacy software!
So my Workaround was: on the virtual host proxy definition changed the PROXYPASS directive to INTERNALLY use HTTP and externally only uses HTTPS, so the external clients only can use the HTTPS front end of the Apache server and Apache communicate using HTTP with the internal server.
The only drawback is that communication becomes vulnerable for a MiTM attack but that is only on the internal servers network so is an almost impossible scenery because is inside protected data-center.
Thanks a lot for taking the time to answer. |
|
| Back to top |
|
|
|
|
|
|
