Alert Logic® Web Security Manager™ (WSM) will allow for all incoming connections to use the lowest supported TLS version on any proxy and then renegotiate the connection to the appropriate TLS level based on the configuration of the target proxy.
When the WSM appliance receives an initial HTTPS request, it does not yet know which proxy the request is targeting. This is due to the fact that the HTTP headers of the request are not passed to WSM until after the SSL negotiation has taken place. Because of this, WSM will utilize the lowest supported TLS version configured across all of the appliance’s proxies. Once the initial SSL handshake occurs and the HTTP headers are provided, WSM will check that specific proxy’s configuration and renegotiate to a higher TLS version if required.
As an example, take the following three proxy configurations on WSM:
- Proxy A requires TLS v1.2 or higher
- Proxy B requires TLS v1.1 or higher
- Proxy C requires TLS v1.0 or higher
In the above configuration, WSM’s minimum supported version for the initial SSL handshake is TLS v1.0. WSM will not allow a client connection without at least this TLS version or higher, meaning that SSL v2 and SSL v3 would be refused. If a client negotiates at TLS v1.0, WSM will parse the HTTP headers for the HOST header and take one of the below actions:
- If the host designated in the HTTP headers is pointing to proxy A, WSM will attempt to renegotiate to the minimum level of TLS v1.2. If the client cannot support this version, the client is disconnected and nothing is passed through WSM.
- If the host designated in the HTTP headers is pointing to proxy B, WSM will attempt to renegotiate to the minimum level of TLS v1.1. If the client cannot support this version, the client is disconnected and nothing is passed through WSM.
- If the host designated in the HTTP headers is pointing to proxy C, WSM will serve the request without renegotiating, as the minimum version of TLS has been satisfied for this proxy.
If, in the above example, you were to re-configure proxy C to a minimum TLS version of v1.1, the new minimum TLS version for the initial SSL handshake would also move up to TLS v1.1, meaning all new requests to WSM must satisfy at least this version of TLS. Once the initial handshake is completed, WSM will match the HTTP headers against all of the proxies and renegotiate as needed to the appropriate proxy’s minimum version.