Is it possible to restrict old TLS protocol traffic on a specific port even though I have turned off old protocols in Windows?

Posted by Sunsparc@reddit | sysadmin | View on Reddit | 12 comments

I have a legacy app in my environment that apparently uses it's own crypto implementation. Despite locking down TLS protocols and ciphers as much as possible with IISCrypto, it still advertises TLS 1.0/1.1 and SSLv3 on the specific port. Running testssl from a Kali VM shows the deprecated protocols and insecure CBC ciphers. The vendor for the legacy app made a huge deal about crunching out TLS 1.2 support for us in 6 months but neglected to offer a method for disabling the old protocols and is instead opting to squeeze us for more money to "enhance that functionality".

Reply to Post

12 Comments

[-]

Eam404@reddit

Couple of options: - Serverless functions like Cloudflare to intercept request, and "upgrade to TLS 1.2" There are some examples in the docs of this very thing. - stunnel might allow you to lock down communication to a different port without changing the app configuration.

[-]

pdp10@reddit

> The vendor for the legacy app [...] is instead opting to squeeze us for more money What did you expect to happen? But hey, at least this way, there's only one throat to choke, right? Right? * Pragmatic: use Stunnel to listen on the port and then proxy over to the app listening on `localhost`. * Spiteful: dissect the binary and replace or over-ride symbols (functions) until you're happy with the behavior. * Political: make your internal stakeholders feel bad and then make them pay the vendor's ransom.

[-]

dfctr@reddit

This is a way of fixing an issue I'll borrow for immediate use.

[-]

Sunsparc@reddit (OP)

> What did you expect to happen? Yeah this vendor is the epitome of do the bare minimum and if you don't ask for it, it doesn't happen. Why build out TLS 1.2 if you're not going to implement a way to turn off the deprecated protocols? I personally feel like our intial work investment to enhance to TLS 1.2 should have covered that, but I digress.

[-]

pdp10@reddit

> Why build out TLS 1.2 if you're not going to implement a way to turn off the deprecated protocols? In the vendor's defense (!), those who don't deal with scans, audits, and cryptography, probably wouldn't ever think that hard-disabling older crypto versions would be important or a "feature". > our intial work investment to enhance to TLS 1.2 should have covered that Probably, but if you didn't think to specify that in the contract, and they weren't familiar enough with modern infosec practices to ask, then it just slipped through the cracks.

[-]

cerulean47@reddit

I would use a reverse proxy to front the application and make the proxy the only thing that can talk to it. Could use haproxy, nginx, or my home lab favorite nginx-proxy-manager.

[-]

OnARedditDiet@reddit

What sorta web server is it running? IIS? Apache?

[-]

Sunsparc@reddit (OP)

It's none of those, proprietary is my understanding. App was created in the early 90s and still looks that way. I don't think I can provide much more information without naming the app and giving a away a lot of information.

[-]

Is it possible to restrict old TLS protocol traffic on a specific port even though I have turned off old protocols in Windows?

Reply to Post

12 Comments

Eam404@reddit

pdp10@reddit

dfctr@reddit

Sunsparc@reddit (OP)

pdp10@reddit

cerulean47@reddit

OnARedditDiet@reddit

Sunsparc@reddit (OP)

OnARedditDiet@reddit

tacotacotacorock@reddit

autogyrophilia@reddit

idiotscareshimself@reddit