Virtual Appliance Secure Tunnel Configuration

A customer’s security ops is very keen on understanding the details of the VA Secure Tunnel configuration. And I am unable to glean from the docs, what type of a tunnel that is.

The customer wants to know if the tunnel is IPSec. And if it is not and is TLS-based (there are some hints in the documents that it is) is it at least TLS 1.2 or above?

Any help will be greatly appreciated. This Canal service on the VA is an enigma for me

Regards,

Raoon Kundi

It is my understanding that it leverages OpenVPN which would default to TLS 1.2. I can’t say with 100% confidence but I’m pretty sure this is the case.

Hi, as I understood, it is not a tunnel in the vpn sense. For me, I could understand it when first looking the HTTP Proxy configuration.

In this configuration, IDN connects to internal systems through VA. And to cloud systems via the HTTP-Proxy machine, perhaps established in a DMZ.

If firewall does not admit this case, then Secure Tunnel appears. I see it like the last scenario but here Sailpoint act as the proxy:

VA still connects directly to internal systems, and via Sailpoint cloud itself as if it was the proxy.

Regardless the case, I understand that in the 3 options, VA outbound connects to Sailpoint via HTTPS (443). When connecting to tenant, it shows that TLS handshake is v1.2:

image962×115 32.4 KB

I had similar questions from clients here too, because they understand that standard configuration means unsecure, and without arguments is difficult to show them that TLS is present between Tenant and VA, and between tenant and other systems.

Hi, sorry for deleting lastest posts, I have copied raw openssl output masking ambient names. Here is the output of openssl, on a Secure Tunnel ambient. It shows TLS v1.2:

sailpoint@sailpoint-va ~ $ openssl s_client -connect DELETED-sb.identitynow.com:443
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
   i:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Feb 16 00:00:00 2023 GMT; NotAfter: Feb 15 23:59:59 2024 GMT
 1 s:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
   i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 27 12:48:08 2020 GMT; NotAfter: Dec 31 23:59:59 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFNzCCBN2gAwIBAgIQCBQXFoP8rsZzNW2P6Tub2TAKBggqhkjOPQQDAjBKMQsw
CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjMwMjE2MDAwMDAwWhcNMjQwMjE1
MjM1OTU5WjB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
A1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEe
MBwGA1UEAxMVc25pLmNsb3VkZmxhcmVzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAEFGr/xDl76K29jAQuo943k7vsci+L7s+H/ZCTkIhYBtSDsRDBBCL2
22qdhRIpCH2A3D/LK+xvqL6UJYvP+HG+FaOCA3gwggN0MB8GA1UdIwQYMBaAFKXO
N+rrsHUOlGeItEX62SQQh5YfMB0GA1UdDgQWBBTrON1GS5bIF60HbVYfi5ARQ7E6
dDA9BgNVHREENjA0ghVzbmkuY2xvdWRmbGFyZXNzbC5jb22CG3JvZG9iZW5zLXNi
LmlkZW50aXR5bm93LmNvbTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6Ly9jcmwzLmRp
Z2ljZXJ0LmNvbS9DbG91ZGZsYXJlSW5jRUNDQ0EtMy5jcmwwN6A1oDOGMWh0dHA6
Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9DbG91ZGZsYXJlSW5jRUNDQ0EtMy5jcmwwPgYD
VR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdp
Y2VydC5jb20vQ1BTMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuZGlnaWNlcnQuY29tMEAGCCsGAQUFBzAChjRodHRwOi8vY2FjZXJ0cy5k
aWdpY2VydC5jb20vQ2xvdWRmbGFyZUluY0VDQ0NBLTMuY3J0MAwGA1UdEwEB/wQC
MAAwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2AO7N0GTV2xrOxVy3nbTNE6Iy
h0Z8vOzew1FIWUZxH7WbAAABhlwUlzsAAAQDAEcwRQIgCznE61YRlFDb1T5HjvKG
9F7EBecRwnJpz+B3s0ix/swCIQCICW7qcWA8ks58hlrMVGD9UTZnURdVQqlEqkRV
y9Wv8gB2AHPZnokbTJZ4oCB9R53mssYc0FFecRkqjGuAEHrBd3K1AAABhlwUl18A
AAQDAEcwRQIgUTvtYO2qn+PhEL8ikMORK4PF1tBC7jiUXjLqYRjXEg0CIQCaGKzd
g2BWeiXA4jlLy01JtDwC40C5SEI0Faj+TbObYgB3AEiw42vapkc0D+VqAvqdMOsc
UgHLVt0sgdm7v6s52IRzAAABhlwUlycAAAQDAEgwRgIhANb9QDv1Bew/eltHx9jZ
QRZycFCYJHr0/wimspAWp5XRAiEAnEbSH4ui/4DhyF221IwtWJ/wt0Bq4H9NFgmb
Le8oJQ0wCgYIKoZIzj0EAwIDSAAwRQIgKglNAiOI7TwJyMbY9PqFlLQ2yLlryLOT
bngsVODMFk0CIQCx4/i/+4tNZdngn7AW9YZX+uqcUuyq8vGe39WGgH1UPw==
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
issuer=C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2785 bytes and written 418 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    Session-ID: D7554B940E6413BA3F60BF37B6B944CC0031D28B078620AD8573ADFAE6EAFB9B
    Session-ID-ctx: 
    Master-Key: _DELETED_
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - fa f1 4f 35 6f d8 f5 51-84 48 1b 79 53 83 e7 a0   ..O5o..Q.H.yS...
    0010 - 6a 50 88 17 bb e4 6b 53-8b 9b 8a af c0 12 c0 93   jP....kS........
    0020 - f1 d9 91 a9 bd 2b 73 65-db e1 56 4c a1 b2 f0 1b   .....+se..VL....
    0030 - ae 43 8d 83 06 99 a1 c8-7a 96 29 8f eb 9b 68 40   .C......z.)...h@
    0040 - d6 0d 48 09 e0 75 7c 7f-b7 03 18 ec 21 55 39 bc   ..H..u|.....!U9.
    0050 - 31 c3 51 35 45 07 e1 da-81 eb 56 66 a7 b5 39 84   1.Q5E.....Vf..9.
    0060 - c9 69 67 11 7d 85 13 d4-c5 07 f3 7c 5c 26 41 8b   .ig.}......|\&A.
    0070 - 58 d8 72 93 b6 88 04 bf-1e 42 f2 74 5d 6f cf 9c   X.r......B.t]o..
    0080 - 3a 83 9d db 0f dc 4f ee-e9 16 9b 86 2e fe a0 ed   :.....O.........
    0090 - 6c c3 e1 65 3d 62 ff d8-02 86 10 5e 2e 59 ba 3a   l..e=b.....^.Y.:
    00a0 - c6 17 2c 5f ae 1e f5 be-60 11 97 5b f5 97 ce 67   ..,_....`..[...g
    00b0 - 9f ca a4 d5 aa 22 dd bf-c9 58 60 19 75 ac e0 79   ....."...X`.u..y

    Start Time: 1694784327
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.