On 19/11/2022 2:55 am, UnveilTech - Support wrote:
Hi Amos, We have tested with a "ssl_bump bump" ("ssl_bump all" and "ssl_bump bump sslstep1"), it does not solve the problem. According to Alex, we can also confirm it's a bug with Squid 5.x and TLS 1.3.
Okay.
It seems Squid is only compatible with TLS 1.2, it's not good for the future...
One bug (or lack of ability) does not make the entire protocol "incompatible". It only affects people trying to do the particular buggy action. Unfortunately for you (and others) it happens to be accessing this server cert fingerprint.
I/we have been clear from the beginning that *when used properly* TLS/SSL cannot be "bump"ed - that is true for all versions of TLS and SSL before it. In that same "bump" use-case the server does not provide *any* details, it just rejects the proxy attempted connection. In some paranoid security environments the server can reject even for "splice" when the clientHello is passed on unchanged by the proxy. HTTPS use on the web is typically *neither* of those "proper" setups so SSL-Bump "bump" in general works and "splice" almost always.
Cheers Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users