TLS "bump"

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

TLS "bump"

Postby AndGeoWill » Aug 23 19 1:50 am

We have a number of Win2003 clients that cannot connect to various sites that require TLS 1.2. Is there a way to configure Wingate proxy to forward traffic from these machines using TLS 1.2 between Wingate and the target server(s)?
AndGeoWill
 
Posts: 2
Joined: Aug 23 19 1:46 am

Re: TLS "bump"

Postby adrien » Sep 02 19 7:54 pm

Hi

just using HTTPS / SSL inspection will do this automatically.

You need an enterprise license for this, and you need to deploy a signing certificate to the client. Check the F1 help while you're looking at the SSL inspection tab in the WWW proxy

Regards

Adrien de Croy
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: SSL Inspection

Postby AndGeoWill » May 12 20 2:30 am

This worked well when using a WinGate generated certificate, but now we are setting up a load balanced pair of proxy servers and are trying to use a Sectigo issued shared certificate. This cert is failing with "SSL Certificate is invalid". It looks like the cert. is only configured for "Server Authentication" and "Client Authentication" purposes. What other purposes are required for WinGate SSL Inspection?

Thanks!
AndGeoWill
 
Posts: 2
Joined: Aug 23 19 1:46 am

Re: TLS "bump"

Postby adrien » May 12 20 5:34 pm

Hi

fundamentally, SSL inspection requires generating certificates that masquerade as the certificate of any website your users go to.

For this, the certificate used is used to sign other certificates.

there's no CA in the world that will sell you a cert that can be used for this, because the basis of a CA business is verifiying the authenticity of holders of certificates.

The base cert used by WinGate is created by WinGate with the attributes that allow it to sign other certificates - to attest to their validity. This is why this certificate used must be trusted by your users, which involves adding the cert to their root cert store.

You can possibly ease deployment of the WinGate cert with group policy. It may also be possible to mint a suitable certificate from AD CA services so it's trusted by your domain users, but we haven't done that before. In the end, deploying the WinGate self-signed cert for this is a lesser problem.

Regards

Adrien de Croy
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: TLS "bump"

Postby adrien » May 12 20 6:20 pm

p.s. you can copy the certificate from one WinGate over to another. Just import it.
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland


Return to WinGate

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 44 guests