On 03/07/18 23:23, Amish wrote: > Hello, > > I am trying new options in squid 4.1. > > For easy readability can I use tls_outgoing_options multiple times in > squid.conf? > Yes. Provided the options specified on each are different. > Like this: (Tips from > https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit) > > tls_outgoing_options cafile=/etc/ssl/cert.pem > tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE > tls_outgoing_options > cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > > Will it merge all 3 as if mentioned on 1 single line? The above will, yes. > Or will it pick only last (or first) option and internal defaults for rest? Each option in the directive replaces previous values of that same option. For example; tls_outgoing_options cipher=A cipher=B is the same as: tls_outgoing_options cipher=B Since above you are setting different named option on every line, your setup is equivalent to all the options being on one line. However, Squid understands line wrapping. So this question is not very useful. You could simplify even further like this: tls_outgoing_options \ cafile=/etc/ssl/cert.pem \ options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE \ cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:.... > > I am not an SSL/TLS expert so I do not know how to test this i.e. how to > know if its really working. Then its a good sign you are asking for help. TLS is a pit of troubles for the unaware. To successfully manage use of SSL-Bump features you need at least an understanding of how the TLS protocol operates. Note that is *not* the crypto, just how the messaging works. This directive controls what capabilities Squid lets your OpenSSL library advertise in clientHello and TLS extension messages sent to servers (not cache_peer) during a TLS handshake. So to debug use something like wireshark to look at the packets and see what the handshake contains. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
