Thanks a lot guys for providing clear explanation.
Much appreciated!
Cheers,
Chris
On Sat, Feb 2, 2019 at 3:29 PM Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 2/1/19 4:04 PM, john doe wrote:
> I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers
> allowed.
> I see that "sslproxy_cipher" config property would allow me to do it.
> But what is unclear to me is whether just setting that list is enough or
> it needs SSL-Bump too?
> Pardon my ignorance around this. I'm not sure if Squid has access to the
> cipher list.
If you want to restrict ciphers used by clients establishing a TLS
connection with the origin server (via a CONNECT tunnel through Squid)
but you do not want to bump client-origin traffic that uses permitted
ciphers, then you have several options, including:
* Deny access to clients that offer banned ciphers to servers. Requires
either a silent TCP connection termination or bumping to serve an error
page. Requires TLS Client Hello analysis that is only supported in v4+
(via an external ACL and %>handshake).
* Deny access to servers that select banned ciphers (from the list of
all ciphers offered by clients). Requires either a silent TCP connection
termination or bumping to serve an error page. Requires TLS Server Hello
analysis that is only supported in v4+ (via an external ACL and
%ssl::<negotiated_cipher).
For bumped connections, there is also %ssl::>negotiated_cipher.
Sorry, I ran out of time to polish and detail the above further, but
others on the list can help you if you need more information.
Cheers,
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
