On 4/12/18 12:18 pm, johnr wrote: >> What are your squid.conf settings now? > > http_port 3128 ssl-bump You are missing a CA certificate for the bumping process to use for the certificates it sends the clients. Also you do not have any ssl_bump lines here. They are required to tell Squid which of the TLS/SSL traffic to consider for handling. Without those lines the ssl-bump on the port does nothing. > tls_outgoing_options NO_TICKET,ALL,No_SSLv3 min-version=1.0 > This should be: tls_outgoing_options options=NO_TICKET,ALL,No_SSLv3 min-version=1.0 That use of "ALL" there is a bit obscure. What it actually does is *enable* all sorts of unsafe security features the library would normally disable by default. Such as 8-bit hashes and very insecure RSA keys. The min-version is only required if the library defaults to actively rejecting TLS/1.0 or such. To let the library use its defaults you simply do not configure Squid to require anything at all (ie remove the tls_outgoing_options directive entirely). Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
