On 2/1/19 4:04 PM, john doe wrote: > I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers > allowed. > I see that "sslproxy_cipher" config property would allow me to do it. > But what is unclear to me is whether just setting that list is enough or > it needs SSL-Bump too? > Pardon my ignorance around this. I'm not sure if Squid has access to the > cipher list. If you want to restrict ciphers used by clients establishing a TLS connection with the origin server (via a CONNECT tunnel through Squid) but you do not want to bump client-origin traffic that uses permitted ciphers, then you have several options, including: * Deny access to clients that offer banned ciphers to servers. Requires either a silent TCP connection termination or bumping to serve an error page. Requires TLS Client Hello analysis that is only supported in v4+ (via an external ACL and %>handshake). * Deny access to servers that select banned ciphers (from the list of all ciphers offered by clients). Requires either a silent TCP connection termination or bumping to serve an error page. Requires TLS Server Hello analysis that is only supported in v4+ (via an external ACL and %ssl::<negotiated_cipher). For bumped connections, there is also %ssl::>negotiated_cipher. Sorry, I ran out of time to polish and detail the above further, but others on the list can help you if you need more information. Cheers, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
