Search squid archive

RE: RE: TLS v1.2 support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Amos for your quick reply,

I tried your recommendations but nothing works, I can't get TLS 1.2 to work

I get a 404 error on your patch link

Cheers,
Sebastien W.

-----Original Message-----
From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] 
Sent: jeudi 15 mars 2012 11:32
To: squid-users@xxxxxxxxxxxxxxx
Subject: Re:  RE: TLS v1.2 support

On 15/03/2012 8:41 p.m., Sébastien WENSKE wrote:
> Hello Amos,
>
> I probably did a mistake.... because I built openssl 10.0.1 in /lib_indep and specified the path in ./configure with "--with-openssl=/lib_indep/include/openssl"
> Squid works well, but no change on SSL Lab Server Test: 
> https://www.ssllabs.com/ssldb/analyze.html?d=webmail.wenske.fr

Looking at it Squid has no explicit support for TLSv1.1 or 1.2. But the TLS/SSL auto-negotiate (https_port ... version=1) should be arranging for it to appear.  You might need to also set the
ssloptions=NO_SSLv2,NO_SSLv3,NO_TLSv1 for the new ones to show up though.

I have a patch you can try at
http://www.squid-cache.org/~amosjeffries/patches/squid-3.1_upgrade_TLSv12.patch
It adds support for the server/client methods and NO_TLSv1_* options to help with your experimenting.

Amos

> Cheers,
> Sebastien W.
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
> Sent: mercredi 14 mars 2012 22:33
> To: squid-users@xxxxxxxxxxxxxxx
> Subject: Re:  RE: TLS v1.2 support
>
> On 15.03.2012 05:16, Sébastien WENSKE wrote:
>> OpenSSL 1.0.1  (not 10.0.1)
>>
>> -----Original Message-----
>> From: Sébastien WENSKE [mailto:sebastien@xxxxxxxxx]
>> Sent: mercredi 14 mars 2012 17:14
>> To: squid-users@xxxxxxxxxxxxxxx
>> Subject:  TLS v1.2 support
>>
>> Hi guys,
>>
>> OpenSSL 10.01 just released, it seems that it supports TLS v1.2.
>>
> Thanks for the heads-up.
>
>
>> What about Squid?
> Squid supports whatever the library you build it with does.
>
> About the only relevance a change like this has is if there are new options which we have to map from squid.conf to the OpenSSL API calls ("NO_TLSv11" or such.). Or if they do some more ABI-breaking alterations like the 1.0.0 c->d re-write had.
>
> Amos
>

<<attachment: smime.p7s>>

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux