Can pfsense outbound-proxy old https clients, translating sslv3 to tlsv1.2?
-
My organization uses netgate appliances running pfsense as firewalls for single client machines (one netgate appliance per client), firewalling most of the client ports save for SSH, HTTP/HTTPS, and certain database and SIP/telephony ports. each netgate appliance has it's own external v4 IP.
The client application software and OS are both old and difficult to upgrade. When we try to make an outbound https connections, we encounter sslv3 compatibility errors in trying to connect to most external websites.
This may be a question for the pfsense packages forums, but my hope is to use pfsense, perhaps with the squid and/or haproxy optional packages installed, as an outbound proxy for https that could accept the sslv3 message from the internal client and send it out as tlsv1.2. Is that within pfsense's capabilty, using squid, haproxy, or other installable software?
-
@kurt19001 I cant forsee it being an issue.
Just load the root cert of pfsense (when you create one) onto the machines and in theory you should be good to go. -
@michmoor thanks for your reply!
Do you mean I have to add the pfsense machine's root certificate to the trusted certs on the client machine?
I will share your answer with our network people.
Yours,
kurt19001
-
@kurt19001 Yes if you are going to do an explict proxy then the firewall cert will need to be loaded on all the machines. All SSL certificates are going to be signed by the firewall as its performing a 'man in the middle' operation.