On 2/04/19 2:10 pm, 赵 俊 wrote: > Hi, this is part of my squid.conf: > https_port 192.168.30.4:3129 intercept ssl-bump connection-auth=off > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/opt/squid/ssl_cert/CA.pem sslflags=NO_DEFAULT_CA > > acl broken_sites ssl::server_name foo.com > acl ssl_step1 at_step SslBump1 > > ssl_bump peek ssl_step1 > ssl_bump bump broken_sites > ssl_bump splice all > > so how to restrict the maximum negotiated version of squid HTTPS to TLS1.2? That is not possible without patching Squid. Only versions up to TLS/1.2 can be controlled by any published Squid. > I also try configure like this: > > > https_port 192.168.30.4:3129 intercept ssl-bump connection-auth=off > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/opt/squid/ssl_cert/CA.pem version=4 > > > it did not work. > The deprecated 'version=4' setting means TLS/*1.0* only. > the access.log show TCP/TUNNEL 200 > That indicates that the protocol arriving from the client is probably not TLS or SSL in any form, but some other protocol. If that is true then no matter what you set for TLS versions allowed it will always tunnel. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users