[Feature Request] remove TLS 1.0/1.1 support

fatedier / frp

A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.

Apache License 2.0

86.46k stars 13.37k forks source link

[Feature Request] remove TLS 1.0/1.1 support #3043

Closed popolin7991 closed 2 years ago

popolin7991 commented 2 years ago

Describe the feature request

sslscan frp server bind_port TLSv1.0/1.1 enabled If not blocked, detect obsolete cipher suites

Describe alternatives you've considered

No response

Affected area

[ ] Docs
[ ] Installation
[ ] Performance and Scalability
[X] Security
[ ] User Experience
[ ] Test and Release
[ ] Developer Infrastructure
[ ] Client Plugin
[ ] Server Plugin
[ ] Extensions
[ ] Others

popolin7991 commented 2 years ago

frp 0.35.1

TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 disabled

frp 0.41.0

TLSv1.0 enabled
TLSv1.1 enabled
TLSv1.2 enabled
TLSv1.3 enabled

Becods commented 2 years ago

Why do you propose to do this?

What is the motivation for doing it?

What will happen when the proposal is implemented?

popolin7991 commented 2 years ago

@Becods 資安漏洞？！ TLS 1.0/1.1 已被棄用，只是想問問該怎麼關閉

Anduin2017 commented 2 years ago

Directly expose 443 port as pure TCP. Secure that in the original web server.

Here is my configuration:

Sample frps.ini:

[common]
bind_port = 7000
token = your_strong_password

Sample frpc.ini:

[common]
server_addr = my-frp.com
server_port = 7000
token = your_strong_password

[HTTP]
type = tcp
local_ip = 127.0.0.1
local_port = 80
remote_port = 80

[HTTPS]
type = tcp
local_ip = 127.0.0.1
local_port = 443
remote_port = 443

And install a modern web server locally, listening to local 80 and 443.

You can follow the steps via the document from the web server you installed. Disable obsolete protocols and you can pass that.

github-actions[bot] commented 2 years ago

Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.