On Tuesday 02 July 2019 at 23:05:27, Cody Cushing wrote: > Hello, I would like to use Squid as a forward proxy to ensure traffic > leaving my VM is using a TLS connection negotiated through a client using > FIPS certified encryption. I have OpenSSL w/FIPS configured on my VM, and > Squid properly configured as a forward proxy. So, surely all you need is a firewall to block any direct traffic which attempts to bypass the TLS client? > What I do not know is: > • is this sufficient (does Squid use any available OpenSSL crypto on the > system) > • or do I need to compile a custom Squid build referencing the OpenSSL fips > "modules" (two C libraries) > • or does Squid reference completely different crypto libraries and neither > of the above two considerations are even valid You say you want to use "a TLS connection negotiated through a client using FIPS certified encryption". What's at the other end of that connection (ie: what is your VM talking to to create this link)? Are you saying that you want HTTPS connections from your VM to go only to remote servers which support this FIPS-certified TLS method, and no other websites should be accessible? Or, are you trying to tunnel HTTP and HTTPS traffic from your VM to some trusted endpoint - if so, what happens to it from there? Basically, given a connection from your VM to some random website, what part of the connection are you trying to encrypt in this specific way? Regards, Antony. -- "Life is just a lot better if you feel you're having 10 [small] wins a day rather than a [big] win every 10 years or so." - Chris Hadfield, former skiing (and ski racing) instructor Please reply to the list; please *don't* CC me. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users