On 18/11/2022 5:02 am, UnveilTech - Support wrote:
Hello Squid Team,
Can you have a look to this bugzilla case :
https://bugs.squid-cache.org/show_bug.cgi?id=5245
it’s about a bug with Squid 5.7 and TLS 1.3.
Critical case created the 2022-10-27 09:59 UTC, it would be nice to
have a fix/patch…
occur)
As one can see in the bug report Alex has looked at it in some detail.
The solution may be complex or large change, and thus unlikely to occur
in Squid-5 if so.
There are three things that come to mind immediately as related problems
we cannot do anything about:
1) Squid cannot know in advance what server cert will be provided
(after step2) when it decided to splice (or not) at step2.
2) SHA1 is not the only type of cert fingerprint. The non-working
certs may be providing newer SHA2/3 etc fingerprints
3) In TLS/1.3 a lot of data can be hidden inside the encryption. Squid
may simply not be given access to the [real] fingerprint unless bump
(decrypt) happens.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
