Objective
As detailed in this Support Bulletin, Contrast is in the process of deprecating support for TLS protocols below version 1.2. This article details the steps that should be taken to ensure no interruption in traffic from the Contrast agents to the Contrast UI, however in some cases (primarily where older technology is in use) a workaround may be necessary to allow connectivity to continue. This article details two possible workarounds via an OpenSSL forward proxy:
Nginx + Ghostunnel using OpenSSL
(Agent) HTTP → (Proxy) HTTPS TLSv1.2 → (Contrast UI) TLSv1.2
Squid using OpenSSL
(Set up requires need of OpenSSL supporting Cipher Suites of both Java Environment and Contrast UI)
(Agent) HTTPS TLS v1.0/1.1 → (Proxy) HTTPS TLSv1.0/1.1/1.2 → (Contrast UI) HTTPS TLSv1.2
Requires OpenSSL to support Ciphers of JVM
Process
Nginx + Ghostunnel using OpenSSL
What’s happening?
-
ghostunnel
is used to proxy connections from the Contrast agent on the application server over TLS to the Contrast Team Server. -
nginx
is used to facilitate this proxying by modifying the Request Host header for all traffic going out theghostunnel
proxy. -
The Contrast agent is configured (via something like the
contrast_security.yaml
file) to connect over HTTP point to the localhost proxy setup. When the connection leaves the application server (viaghostunnel
) it will be sent over the proxying service’s TLS connection.
Steps to set-up:
-
Install
ghostunnel
via their official docs here: GitHub - ghostunnel/ghostunnel: A simple SSL/TLS proxy with mutual authentication for securing non-TLS services-
go
is a requirement to install this, so make sure you have it installed correctly and a version greater than1.12
-
git clone
the repo and perform themake ghostunnel
command from the directory. -
ghostunnel
can be used as a client proxy with a command similar to the following:sudo ./ghostunnel client --listen=localhost:1111 --target=app.contrastsecurity.com:443 --disable-authentication
-
NOTE:
--disable-authentication
prevents the need forghostunnel
to present its own certificates to display to the client. That is, our setup will have it proxying transparently. -
You should be able to test this working correctly with a sample curl request, like this:
curl 'http://localhost:1111/Contrast' -H "Host: app.contrastsecurity.com"
-
Server response should redirect to the Contrast login in this scenario.
-
-
You can validate that
ghostunnel
is connecting over TLS by running the followingtcpdump
command to check for TLS handshake packets:-
sudo tcpdump -ni eth0 "tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)]=0x16)"
-
Sending the above curl should generate activity on the
tcpdump
filter
-
-
-
-
Install and config
nginx
to proxy requests to theghostunnel
setup.The simplest config looks something like this in the file
/etc/nginx/sites-available/default
:server {
NOTE: The only purpose this serves is to set the Host header for outgoing requests, as there’s no way to configure the Contrast agent to do this with our setup. You should be able to test this part of the workflow similar to the previous test:
listen localhost:80;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files $uri $uri/ =404;
proxy_pass http://localhost:1111/;
proxy_set_header Host app.contrastsecurity.com;
}
}-
-
curl "http://localhost/Contrast"
-
Note that in this instance, we no longer need to force the Host header, and the default port in this situation is 80.
-
-
-
Configure the Contrast agent’s
contrast_security.yaml
file to communicate over the proxied connection.-
A sample configuration may look like this:
api:
url: http://localhost/Contrast
api_key: <Enter your API Key>
service_key: <Enter your Service Key>
user_name: <Enter the Agent User Name>
-
Other Notes
-
If the application (and thus, the agent) run in a container, like Docker, you may not be able to use
localhost
with the way Docker networking works.-
In this case, an easy workaround is to enable
ghostunnel
in--unsafe-listen
mode and enable it to run on0.0.0.0:1111
to open it on all available ports. -
Then you could configure the IP in the agent
yaml
file to point to the private IP of the Docker host.
-
-
This is a workaround/temp solution to ensure an agent continues to function. The BEST solution is to upgrade the environment so that it supports TLS 1.2 and above, and allow the agent to connect that way.
-
This is the shortest/quickest TLS proxy setup. There are undoubtedly other ways to configure these proxy settings or other modules that could be employed.
-
Why not nginx and proxy through that directly?
-
I ran into issues with upstream SSL connection between nginx and the Contrast TS that I struggled to resolve and found
ghostunnel
more seamless.
-
-
Why not squid proxy and ssl-bump with http connect?
-
-
All of the above are valid considerations that could absolutely be considered by customers.
-
MOST IMPORTANTLY - this is a potential solution for illustrative purposes, but customers should accept all risk of implementing such a solution, as Contrast cannot maintain a workaround solution. Especially one that strays from the best practice guideline of upgrading to something that can support the correct TLS versions
Squid with OpenSSL
References:
- OpenSSL: https://www.openssl.org/
- Ghostunnel: https://github.com/ghostunnel/ghostunnel
- Nginx: https://nginx.org/
- Squid: http://www.squid-cache.org/
- Stunnel: https://www.stunnel.org/
- https://linuxgazette.net/107/odonovan.html