Here's my problem....

I have a legacy application that runs on Windows. It is not open source and I don't have access to the source code. It was compiled on an older .NET library that apparently only communicates on TLS 1.0

It has a DLL with a certificate that calls out to a payment processor. This payment processor will no longer be accepting calls using TLS 1.0 pretty soon.

I was wondering if it were possible to redirect this traffic to a proxy server, capture & decrypt the traffic then retransmit the traffic to the original destination using TLS 1.2 & return the response to the original host?

I know this is precisely a man in the middle.

I have a feeling this isn't going to work because of CAs but I'm pretty new to CAs & TLS in general.

Does anyone have any advice?

I know it is possible because we ran into a similar problem when we were still using RHEL5 (before it went end of life). We were doing curl connections a credit card processor and they quit allowing TLSv1.0 a long time ago. We found curl on RHEL5 didn't even give options for TLSv1.1 or v1.2. On installing an upstream version of curl that did give those options we found that openssl version on RHEL5 didn't support TLSv1.1 or v1.2 so curl would still fail. RedHat told us they wouldn't update because they considered it a "feature" rather than a bug.

One of our folks setup a web proxy that did make connections via TLSv1.1 on a separate server and changed our process to point the curl to that proxy rather than directly to the vendor.

Unfortunately I didn't do the proxy setup so can't give you any details but thought you'd like to know it is at least a feasible idea.