Hello Amos, On Mon, January 11, 2016 11:13, Amos Jeffries wrote: > On 11/01/2016 10:50 p.m., Walter H. wrote: >> Hello, >> >> I'd restrict the client by using a less resource consuming TLS >> encryption; >> >> I though doing just this >> >> e.g. >> http_port 3128 ... cipher=3DES ... >> (for restricting clients connecting to 3DES) >> >> or what would be less resource consuming? >> AES128? > > Depends on the specific TLS library implementation, what other hashes > etc are used alongside, and any crypto hardware support in the machine > running it. > there is no crypto hardware support as far as I know, my squid box is just a VM, and I guess squid (I'm using 3.4.10) is using OpenSSL als TLS library (latest of CentOS 6) >> the reason why I'm asking this: >> >> I'm using Kaspersky Anti-Virus on client side, this does a 2nd >> SSL-interception, and there the browsers show different Ciphersuites; >> >> e.g. Google Chrome shows AES128, Mozilla Firefox shows Camellia 256 >> >> or is it like this: e.g. Google Chrome uses AES128 to the Anti-Virus, >> the >> Anti-Virus itself uses 3DES to the proxy server? >> (the proxy server matches another Ciphersuite to the web host) > > Yes it is like that. TLS is point-to-point encryption. Ok, because the strange in connection with this: I had http_port 3128 ... dhparam=./dhparam.pem and before installing Kaspersky Anti-Virus there was not any error; but in connection with the SSL-Interception of Kaspersky Anti-Virus, I got an SSL error in Mozilla Firefox like "invalid server hello" removing dhparam=... from http_port resolves this "issue"; Thanks, Walter _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users