Rebex TLS Proxy is a simple yet powerful TLS server with rich command-line interface. It makes it possible to easily add TLS 1.3/1.2 encryption to existing servers (using HTTP and other protocols), or operate as a TLS 1.0/1.1 proxy for legacy client applications or operating systems with no TLS 1.3/1.2 support.
Checksums of RebexTlsProxy-v1.3.0.zip file: SHA-1: 3a3ec666441a6a752e7915bbef0554940348ec96 SHA-256: 46ba0d97fbf7eefde8e1395a7af892014f57d6e8110f75db646eeb84710dc976See here how to verify checksums of the instalation package.
tlsproxy installto install and configure the service.
tlsproxyto show a list of supported commands, or check out an example below.
tlsproxy tunnel addcommand.
tlsproxy tunnel add --helpto display possible options.
tlsproxy svc restart.
tlsproxy run(make sure to stop the service first).
Rebex TLS Proxy features include:
pre_shared_keyTLS 1.3 extension)
key_shareextension (TLS 1.3)
X25519and Brainpool elliptic curves
This is the most common usage scenario. Let's say you have a legacy HTTP server running in your DMZ that only supports plain HTTP and HTTPS with TLS 1.0, and that your router is configured to make the HTTPS service accessible to the Internet on port 443.
But TLS 1.0 is rapidly getting deprecated (along with TLS 1.1) by major browsers, and unless you provide TLS 1.3 or TLS 1.2 support, clients will soon be unable to access the legacy HTTP server. Rebex TLS Proxy can help here - install it either alongside the old server, or onto a separate server in your DMZ, and configure it to provide a TLS tunnel with TLS 1.3/1.2 support to your old HTTP server (running at 192.168.1.2, for example):
tlsproxy tunnel add --in 0.0.0.0:443 --in-protocol TLS --out 192.168.1.2:80 --certificate-path c:\data\my-server-cert.pfx
This will make Rebex TLS Proxy accept TLS connections using TLS 1.3 and 1.2 on port 443. Once each connection has been accepted and a secure TLS session negotiated, the proxy will connect to port 80 of 192.168.1.2 (the old HTTP server) and pass all traffic between the client and the server. Once you configure your router to pass HTTPS connections to Rebex TLS Proxy instead of your old server, clients that no longer support TLS 1.0 or 1.1 will be able to connect again.
Note: Since TLS encryption is now provided by Rebex TLS Proxy, you also need to make an appropriate certificate available to it. In the sample above, we used a certificate stored in a .PFX file. In practice, using Windows Certificate Store might be a better option.
On HTTP servers, several websites can be hosted on the same IP address. The proper "virtual web" is chosen according to
Host header in the HTTP request.
A similar technology is also available for TLS (and HTTPS) protocol.
It is provided via Server Name Indication extension (SNI).
If your TLS Proxy runs on one specific IP address, you can easily configure it to provide HTTPS access to several HTTP websites:
tlsproxy tunnel add -i :443 --in-protocol TLS -o 192.168.1.1:80 -c example1.com --server-names example1.com,www.example1.com tlsproxy tunnel add -i :443 --in-protocol TLS -o 192.168.1.2:80 -c example2.com --server-names example2.com,www.example2.com tlsproxy tunnel add -i :443 --in-protocol TLS -o 192.168.1.3:80 -c test.myorg.com --server-names test.myorg.com tlsproxy tunnel add -i :443 --in-protocol TLS -o 192.168.1.3:80 -c help.myorg.com --server-names help.myorg.com tlsproxy tunnel add -i :443 --in-protocol TLS -o 192.168.1.3:80 -c myorg.com --server-names *
This is what these commands do:
www.example1.comwill be routed to a website on IP address
www.example2.comwill be routed to a website on IP address
help.myorg.comwill be provided with appropriate certificates
192.168.1.3(where they are going to be handled by separate virtually hosted websites).
192.168.1.3and provided with a single certificate.
TLS 1.0 and 1.1 are currently being deprecated by major browser vendors, and using them on the Internet is strongly discouraged. However, many existing legacy systems only support these legacy versions and often cannot be easily upgraded. And as long as those systems are operated within safe private networks or DMZs, they don't pose a security hazard. But these systems usually need to communicate with the outside world as well, which will become problematic once Internet-facing endpoints disable support for TLS 1.0 and 1.1.
Rebex TLS Proxy can address these situations as well by serving as an adapter that 'converts' TLS 1.3/1.2 (used by the servers on the Internet) to TLS 1.0/1.1 (used by legacy systems running on your private network):
tlsproxy tunnel add --in 0.0.0.0:443 --in-protocol TLS --in-tls-versions TLS10 --out test.rebex.net:443 --out-protocol TLS --out-tls-versions TLS13 --certificate-path c:\data\my-server-cert.pfx
This will make Rebex TLS Proxy accept TLS 1.0 connections on port 443, and tunnel them to port 443 of test.rebex.net via TLS 1.3.
Note: In order for this to work properly, make sure you are using appropriate host names and certificates. For example, when providing a private 'HTTPS with TLS 1.0' endpoint for a third-party 'HTTPS with TLS 1.3' service, you might have to provide your own replacement certificate signed by a custom certification authority and configure all your legacy HTTPS clients accordingly.
Rebex TLS proxy runs on all recent and some not-so-recent Windows platforms:
Both 32-bit and 64-bit platforms are supported.
Rebex TLS Proxy is free for commercial and non-commercial use. See the End User License Agreement (EULA) for details.
1.3.0 (2020-07-07) - Improved tunnel closure routine to use less resources. - Certificate chain sent to the client during TLS negotiation does not include Root certificate now. - Changed behavior of 'certificate' config value to: Thumbprint or Subject Alternative Name (SAN) or Common Name (CN). 1.2.0 (2020-05-25) - Fixed bug causing infinite loop when a TLS error occurred. - Fixed bug causing tunnel closure when client attempted to resume TLS 1.3 session on inbound channel. - Using Rebex components 2020 R2. 1.1.0 (2020-04-15) - Added support for TLS virtual hosting via Server Name Indication extension (SNI). - Improved configuration file validation. - Improved logging. 1.0.0 (2020-03-17) - Initial public release.