Hi,
I am trying to allow access for only tls versions 1.2 and above on Squid 3.5.20
For testing purposes, I have set options in squid config as follows.
```
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
```
I test using curl
```
curl -v https://api.github.com/users/xyz
```
I am able to access github and the ssl connection is tls 1.2
```
* Trying 13.236.14.80...
* TCP_NODELAY set
* Connected to api.github.com (13.236.14.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
* start date: Jun 22 00:00:00 2020 GMT
* expire date: Aug 17 12:00:00 2022 GMT
* subjectAltName: host "api.github.com" matched cert's "*.github.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* SSL certificate verify ok.
> GET /users/xyz HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Mon, 05 Oct 2020 22:57:40 GMT
< content-type: application/json; charset=utf-8
< server: GitHub.com
< status: 200 OK
< cache-control: public, max-age=60, s-maxage=60
< vary: Accept, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding
< etag: W/"3d107946387d86803650c009a9371dc5efd5ba2d670e838c30af583505243e83"
< last-modified: Wed, 23 May 2018 19:43:26 GMT
< x-github-media-type: github.v3; format=json
< access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset
< access-control-allow-origin: *
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
< content-security-policy: default-src 'none'
< X-Ratelimit-Limit: 60
< X-Ratelimit-Remaining: 59
< X-Ratelimit-Reset: 1601942260
< X-Ratelimit-Used: 1
< Accept-Ranges: bytes
< Content-Length: 1220
< X-GitHub-Request-Id: A62E:3674:BB684:D9799:5F7BA4E4
<
{
"login": "xyz",
"id": 14513,
"node_id": "MDQ6VXNlcjE0NTEz",
"avatar_url": "https://avatars1.githubusercontent.com/u/14513?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/xyz",
"html_url": "https://github.com/xyz",
"followers_url": "https://api.github.com/users/xyz/followers",
"following_url": "https://api.github.com/users/xyz/following{/other_user}",
"gists_url": "https://api.github.com/users/xyz/gists{/gist_id}",
"starred_url": "https://api.github.com/users/xyz/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/xyz/subscriptions",
"organizations_url": "https://api.github.com/users/xyz/orgs",
"repos_url": "https://api.github.com/users/xyz/repos",
"events_url": "https://api.github.com/users/xyz/events{/privacy}",
"received_events_url": "https://api.github.com/users/xyz/received_events",
"type": "User",
"site_admin": false,
"name": "xyz",
"company": null,
"blog": "",
"location": null,
"email": null,
"hireable": null,
"bio": null,
"twitter_username": null,
"public_repos": 1,
"public_gists": 0,
"followers": 8,
"following": 1,
"created_at": "2008-06-21T11:58:01Z",
"updated_at": "2018-05-23T19:43:26Z"
}
* Connection #0 to host api.github.com left intact
```
Despite setting no tls 1.2, I am able to successfully make a connection.
What am I missing here?
Any help much appreciated.
--
For testing purposes, I have set options in squid config as follows.
```
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
```
I test using curl
```
curl -v https://api.github.com/users/xyz
```
I am able to access github and the ssl connection is tls 1.2
```
* Trying 13.236.14.80...
* TCP_NODELAY set
* Connected to api.github.com (13.236.14.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
* start date: Jun 22 00:00:00 2020 GMT
* expire date: Aug 17 12:00:00 2022 GMT
* subjectAltName: host "api.github.com" matched cert's "*.github.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* SSL certificate verify ok.
> GET /users/xyz HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Mon, 05 Oct 2020 22:57:40 GMT
< content-type: application/json; charset=utf-8
< server: GitHub.com
< status: 200 OK
< cache-control: public, max-age=60, s-maxage=60
< vary: Accept, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding
< etag: W/"3d107946387d86803650c009a9371dc5efd5ba2d670e838c30af583505243e83"
< last-modified: Wed, 23 May 2018 19:43:26 GMT
< x-github-media-type: github.v3; format=json
< access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset
< access-control-allow-origin: *
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
< content-security-policy: default-src 'none'
< X-Ratelimit-Limit: 60
< X-Ratelimit-Remaining: 59
< X-Ratelimit-Reset: 1601942260
< X-Ratelimit-Used: 1
< Accept-Ranges: bytes
< Content-Length: 1220
< X-GitHub-Request-Id: A62E:3674:BB684:D9799:5F7BA4E4
<
{
"login": "xyz",
"id": 14513,
"node_id": "MDQ6VXNlcjE0NTEz",
"avatar_url": "https://avatars1.githubusercontent.com/u/14513?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/xyz",
"html_url": "https://github.com/xyz",
"followers_url": "https://api.github.com/users/xyz/followers",
"following_url": "https://api.github.com/users/xyz/following{/other_user}",
"gists_url": "https://api.github.com/users/xyz/gists{/gist_id}",
"starred_url": "https://api.github.com/users/xyz/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/xyz/subscriptions",
"organizations_url": "https://api.github.com/users/xyz/orgs",
"repos_url": "https://api.github.com/users/xyz/repos",
"events_url": "https://api.github.com/users/xyz/events{/privacy}",
"received_events_url": "https://api.github.com/users/xyz/received_events",
"type": "User",
"site_admin": false,
"name": "xyz",
"company": null,
"blog": "",
"location": null,
"email": null,
"hireable": null,
"bio": null,
"twitter_username": null,
"public_repos": 1,
"public_gists": 0,
"followers": 8,
"following": 1,
"created_at": "2008-06-21T11:58:01Z",
"updated_at": "2018-05-23T19:43:26Z"
}
* Connection #0 to host api.github.com left intact
```
Despite setting no tls 1.2, I am able to successfully make a connection.
What am I missing here?
Any help much appreciated.
| Nisa Balakrishnan AutomationEngineer | m: 0473942819 | p: 03 9081 3700 Level 20, Tower 5, Collins Square, 727 Collins Street, Docklands VIC 3008 |
Vibrato has merged with Servian! Check out the news article here
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
