On 12/7/19 8:54 AM, Nikolaus wrote: > https://github.com/nthuemmel/squid/tree/tls_downgrade_compatibility > > I would of course be glad if the fix could be merged into the main squid > repository. If you are a dev, please let me know what you think and if I > should open a pull request. FYI: There are two other ongoing and independent efforts related to TLS v1.3 version handling: [1] Fix stalled SslBump-peeked connections from older browsers https://github.com/measurement-factory/squid/pull/60/ [2] Bug 5011: TLS 1.3 connection get stuck when parsing ServerHello https://bugs.squid-cache.org/show_bug.cgi?id=5011 My team is responsible for [1]. Our unofficial (and currently very unpolished) code should be ready for the official review in a couple of weeks. AFAICT from a quick look through your changes, we are working on the same or a very similar problem. If you can test [1] in your environment, please let me know whether it works in your environment. I am not sure what is the best way to minimize further duplication of effort here. Here is one option: If [1] works in your environment, and you would rather avoid porting your changes to master, then perhaps you can help with reviewing and backporting [1] (after it is officially reviewed) to v4 instead. If you decide to improve your branch towards its official submission, please see https://wiki.squid-cache.org/MergeProcedure and keep in mind that you will need to port your changes to master. Please also consider _not_ storing the entire array of parsed supported versions if storing just a couple of them (or storing their implications) is sufficient. Please also note that SSL_set_max_proto_version() is not available in OpenSSL v1.0. If Squid still supports that older OpenSSL version, it would be best to avoid dropping that support because of this change. If you have technical/development comments regarding [1], they are probably best handled as pull request comments on GitHub (or a discussion on the squid-dev@ mailing list). The squid-users@ mailing list is not a good place to discuss code. Thank you, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
