Search squid archive

Re: How to restrict the maximum negotiated version of squid HTTPS to TLS1.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/04/19 2:10 pm, 赵 俊 wrote:
> Hi, this is part of my squid.conf:
> https_port 192.168.30.4:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/opt/squid/ssl_cert/CA.pem sslflags=NO_DEFAULT_CA 
> 
> acl broken_sites ssl::server_name foo.com 
> acl ssl_step1 at_step SslBump1
> 
> ssl_bump peek ssl_step1
> ssl_bump bump broken_sites
> ssl_bump splice all
> 
> so how to restrict the maximum negotiated version of squid HTTPS to TLS1.2?


That is not possible without patching Squid. Only versions up to TLS/1.2
can be controlled by any published Squid.


> I also try configure like this:
> 
> 
> https_port 192.168.30.4:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/opt/squid/ssl_cert/CA.pem  version=4 
> 
> 
> it did not work.
> 

The deprecated 'version=4' setting means TLS/*1.0* only.

> the access.log show TCP/TUNNEL 200
> 

That indicates that the protocol arriving from the client is probably
not TLS or SSL in any form, but some other protocol. If that is true
then no matter what you set for TLS versions allowed it will always tunnel.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux