Thanks that would be fine.
However meanwhile I have recompiled squid 4.4 with OpenSSL support (added --enable-ssl and --with-open-ssl=xxx and removed --with-gnutls to debian/rules) just to end with the same problems - I cannot seem to find how to disable certain protocols or ciphers with squid 4.4.
With squid 3.3 / 3.5 it worked without problems with "https_port ... cipher=ALL:!xxx options=NO_TLSv1,....". However despite of the docs saying these options should still work Squid4.4 just exits with Error:
FATAL: Unknown https_port option 'cipher=
FATAL: Unknown https_port option 'options=
This seems to be the case regardless if I compile it with OpenSSL support or GnuTLS Support or both. Btw. How does Squid "know" which library to chose if it's compiled with both libraries?
So what exactly am I missing here? Is the docs simply wrong? Or outdated?
Which exact keyword should set the OpenSSL ciphers? Which one should set the GnuTLS priority strings? Is it the same keyword with different values??
I have then experimented with e.g. tls-options=NO_TLSv1 setting in Squid4.4 with OpenSSL but without any luck:
FATAL: Unknown TLS option 'NO_TLSv1'
So please could anyone provide a proved working example for disabling TLS v1 or any Cipher in Squid 4.4? Either OpenSSL or GnuTLS would suffice to bring me back on the right track.
Thanks in advance,
Martin
Am Di., 18. Dez. 2018 um 07:46 Uhr schrieb Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 18/12/18 3:57 am, Martin Hoffmann wrote:
> Sorry for my late response, but I have been very busy the last weeks.
> So I could finally find the time to patch my Squid 4.4 with your Patch
> https://github.com/squid-cache/squid/pull/330
>
No worries, similar situation here.
> However running patched squid with the following config still does
> ignore all TLS specific settings (tls-options and tls-min-version):
>
> https_port 1.2.3.4:443 <http://1.2.3.4:443> tls-cert=/path/cert.crt
> tls-key=/path/cert.key tls-dh=/path/dhparams.pem tls-min-version=1.2
> accel defaultsite=some.domain.de <http://some.domain.de>
>
>
> All attempts to disable certain ciphers or TLS version via
> 'tls-options=SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2' also fails -
> no change at all. It is as if squid totally ignores all GnuTLS specific
> settings...? Is there still another bug regarding config?
>
Just the unhelpful "Hmm, thats odd". I intend to re-test all this in the
next month or so to be able to give a better indication of what to
expect working and see if any other regressions show up.
Sorry,
Amos
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
