[Feature Request] Show TLS/SSL Connection Details #610
Comments
gareth-johnstone
changed the title
|
Thanks! I believe that, typically, a reverse proxy in front of the app handles TLS, so the webhook tester wouldn't capture the original request's TLS information. Or am I mistaken? |
|
@gareth-johnstone friendly ping |
@tarampampam Sorry for late response, its been pretty hectic last few days! You are absolutely right, it would be the reverse proxy that would be picking up that information! |
|
I believe we have only one option to capture this information - I can add support for TLS certificates in the app, so it will listen on HTTPS instead of HTTP. However, this will require exposing the container port directly to the external world and avoiding the use of any proxy, ingress, etc. That said, is frequently debugging TLS information necessary? |
We have an external firewall so can therefore block most things anyway - maybe be good as an option to do it this way - for most a reverse proxy would probably be fine, but if you want the additional info, use it directly?
Probably not, its been a recent requirement for some old software where we are using various versions of SSL over a series of webhooks and trying to figure out which is using what was kind of difficult, so thought it would be a great addition - also very useful for debugging services that have disabled TLS1.1 etc. |
|
Got it, thanks for clarifying. I'll give it some thought! |
Excellent work with v2, its working way better than v1!
What would be great is if we can see in the meta information of the request, what version of TLS was used for the connection as well as maybe some other SSL/TLS related information?
I was thinking something along the lines of what this service offers:
https://www.howsmyssl.com/a/check{ "given_cipher_suites": [ "TLS_GREASE_IS_THE_WORD_0A", "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA" ], "ephemeral_keys_supported": true, "session_ticket_supported": true, "tls_compression_supported": false, "unknown_cipher_suite_supported": false, "beast_vuln": false, "able_to_detect_n_minus_one_splitting": false, "insecure_cipher_suites": {}, "tls_version": "TLS 1.3", "rating": "Probably Okay" }I think mostly the
tls_versionandgiven_cipher_suiteswould be very beneficial.The text was updated successfully, but these errors were encountered: