Forum Discussion
NimbostratusSTARTTLS Proxy
Hi.
I'm trying to setup a TLSv1.0 -> TLSv1.2 proxy for STARTTLS SMTP traffic.
We need to disable TLSv1.0 and TLSv1.1, on STARTTLS sessions, for compliance reasons on our mail server. Another requirement is an "AUTH LOGIN" prompt can't displayed until a STARTTLS session has been established. Ie no credentials sent in plain text.
I have a list of known internal clients that only support TLSv1.0, things like scan-to-email printers / Office 2011 for Mac. All other clients will need use TLSv1.2.
I've created a virtual server, added clientside and serverside SSL profiles with only TLSv1.2 enabled. There's another client side SSL profile (called Legacy_Mail) with TLSv1.0, TLSv1.1 and TLSv1.2 enabled.
An iRule disables SSL on both the clientside and serverside in
CLIENT_CONNECTEDOnce a "STARTTLS" / "220 Ready to start TLS" combination is detected, if it's a known TLSv1.0 clients, change the client side SSL profile to Legacy_Mail. However, specifying
SSL::profile Legacy_MailSERVER_DATASSL::profileCLIENT_CONNECTEDTried other events but couldn't find one that works.
Next thought I had was to have a second virtual server, VS2, with the Legacy_Mail clientside and serverside profile with only TLSv1.2.
In
CLIENT_CONNECTEDvirtual VS2VS2 then performs the "STARTTLS" / "220 Ready to start TLS" checks and enables SSL if detected.
Issue here is the there's no events fired on the iRule attached to VS2 after
virtual VS2Does anyone has any thoughts about:
- How to change the
in events other thanSSL::profileCLIENT_CONNECTED - How to get events to fire on the VS2 virtual server after
is issuedvirtual VS2
Thanks.
AneshCirrostratus
try
when CLIENT_ACCEPTED { SSL::disable TCP::collect 3 } when CLIENT_DATA { if { [TCP::payload length] >= 3 } { binary scan [TCP::payload 3] H* hex log local0. "Payload in HEX: $hex" switch $hex { "160301" { SSL::profile Legacy_Mail SSL::enable } default { SSL::enable } } } TCP::release }