On 10/11/18 7:04 AM, Martin Hoffmann wrote: > I'm using squid 4.4 as remote proxy for an https server. > Squid 4.4 comes from Debian testing and is compiled with --with-gnutls > (no openssl support). > > How can I disable certain cipher suites or protocols (like TLS 1.0) ? > > From my understanding I should add tls-min-version=1.1 to https_port - > but that is ignored...? Hmm, I think I've found a bug in there which would cause that. > Where can I add GnuTLS priority strings to disable certain ciphers ? > Use "tls-options=". It is not yet documented since it has not had much testing. For GnuTLS it should take a ':' separated list of priority strings. FWIW: To work around the above tls-min-version bug, you should add the priority string ":-VERS-TLS1.0" to that list of your custom ones. That is what the min-version options should have been doing but clearly is not. > I guess Documentation about https_port is somewhat misleading as it > often refers to the openssl config. Most documentation is still about OpenSSL because that is the older feature set. Settings that are named with "tls" prefixes have been given GnuTLS support and should work for either library unless explicitly stated as requiring one in particular. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
