On 2/4/21 10:32 AM, Prem Chand wrote: > I'm running SSL squid 5 on Centos 8 and I could see Cipher Suites order > changes when I access the below website through Squid and without using > squid I'm getting correct order. > > https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html > > I want to know why and how Squid is changing the cipher suite order and > how to stop squid from doing it. Please advise. There are several different use cases related to cipher order in Squid-server connections, including these TLS v1.2 (and earlier) cases: 1. You are specifying "tls_outgoing_options cihper", and you are either not using SslBump or bumping the TLS client during SslBump step1. In this case, Squid should pass your tls_outgoing_options cipher configuration to OpenSSL. What happens next is up to OpenSSL. 2. You are not specifying "tls_outgoing_options cihper", and you are either not using SslBump or bumping the TLS client during SslBump step1. In this case, Squid does not tell what ciphers to use. What happens next is up to OpenSSL. 3. You are bumping the TLS client during SslBump step2. In this case, Squid should give TLS client ciphers to OpenSSL. What happens next is up to OpenSSL. 4. You are bumping the TLS client during SslBump step3. I am not sure what should happen here, but perhaps Squid should, during step2, forward TLS client ciphers that Squid supports, in TLS client order. I do not know whether Squid actually does that. To understand why ciphers are reordered, you need to figure out which use case applies to your test and, if applicable, investigate whether OpenSSL honors the cipher order specified in SSL_set_cipher_list() and SSL_CTX_set_cipher_list() calls. If you confirm that Squid should give the cipher list to OpenSSL in your use case, and OpenSSL should honor the cipher order, then you can look for Squid bugs, but that will probably require debugging log analysis and developer-level expertise. See also: http://lists.squid-cache.org/pipermail/squid-users/2021-January/023155.html HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
