On 2/04/19 6:07 pm, Amos Jeffries wrote: > On 2/04/19 2:10 pm, 赵 俊 wrote: >> Hi, this is part of my squid.conf: >> https_port 192.168.30.4:3129 intercept ssl-bump connection-auth=off >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> cert=/opt/squid/ssl_cert/CA.pem sslflags=NO_DEFAULT_CA >> >> acl broken_sites ssl::server_name foo.com >> acl ssl_step1 at_step SslBump1 >> >> ssl_bump peek ssl_step1 >> ssl_bump bump broken_sites >> ssl_bump splice all >> >> so how to restrict the maximum negotiated version of squid HTTPS to TLS1.2? > > > That is not possible without patching Squid. Only versions up to TLS/1.2 > can be controlled by any published Squid. > You could try configuring your OpenSSL not to use TLS/1.3. <http://openssl.6102.n7.nabble.com/How-to-disable-TLS-1-3-in-OpenSSL-1-1-1-td76300.html> Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users