Thanks Amos.
I have verified that squid build is done with openssl that supports 1.2 but not 1.3.
I am worried that squid does not pass the flag set via options.
I am able to lock squid to tls 1.2 only with sslproxy_version
To be a bit more clear, the squid implementation is a whitelist filtering proxy. It does not bump ssl requests. It does peek and splice on intercept.
On Tue, 6 Oct 2020 at 20:34, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 6/10/20 1:35 pm, Nisa Balakrishnan wrote:
> Hi,
>
> I am trying to allow access for only tls versions 1.2 and above on Squid
> 3.5.20
>
Note that "above 1.2" are not supported by that ancient version of
Squid. Your test disables everything except SSLv1 code in the library.
> For testing purposes, I have set options in squid config as follows.
>
> ```
> https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
> options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
>
> sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
> ```
>
Support for all those options depends on the version, build options, and
global config settings of the OpenSSL library being used. They are just
flags Squid passes to the library on connection setup.
FWIW 3.1.20 is over 4 years old and a huge amount of change has happened
to TLS since then. Please try to upgrade to current Squid-4 stable, or
for best SSL-Bump behaviour the current Squid-5 beta.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
Nisa Balakrishnan AutomationEngineer | m: 0473942819 | p: 03 9081 3700 Level 20, Tower 5, Collins Square, 727 Collins Street, Docklands VIC 3008 |
Vibrato has merged with Servian! Check out the news article here
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users