On 2/02/19 12:04 pm, john doe wrote: > Hi Squid-Community, > > I've a question for which I haven't been able to find answer. > > I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers > allowed. > I see that "sslproxy_cipher" config property would allow me to do it. The sslproxy_* directives (as of v4 called tls_outgoing_options) are for TLS/SSL control of connections to servers. The https_port and http_port directives have options for TLS/SSL on connections from clients. The cache_peer directive has options for fine tuning or locking down TLS/SSL to each peer server. > But what is unclear to me is whether just setting that list is enough or > it needs SSL-Bump too? For TLS interactions between the client and server (CONNECT tunnels) then Yes, you need to MITM (SSL-Bump) to interact with their crypto. For TLS between client and proxy, then no. Squid is in control already - at least of the proxy end of the connection. > Pardon my ignorance around this. I'm not sure if Squid has access to the > cipher list. > None needed. Nobody knows everything about Squid (even us official and logn-term devs). Help is what this list is for :-) Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
