On 13/12/2022 12:34 am, Dieter Bloms wrote:
Hello, I've enabled sslbump and configured the following outgoing tls options: tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA so for me it looks like squid must not use TLS1.1 or TLS1.0.
Correct.
But for some web sites like https://www.europarl.europa.eu/doceo/document/LIBE-OJ-2022-12-12-1_EN.html the first request is made with an tls1.0 client hello packet.
In the pcap provided I see two TLS/1.2 attempts which are being terminated by the server. Immediately followed by TLS/1.3 which is succeeding and doing stuff. Other connections just go straight to TLS/1.3 and do stuff.
FYI, if you are looking at the trace with wireshark the TLS/1.2 packets are labeled as protocol "TLSv1" for some reason I don't know. There is a framing layer for TLS which carries a version number "1.0", but that is shared by all TLS/1.* versions up to and including 1.3.
When I reload the page the proxyserver sends a tls1.2 client hello and the website is shown as expected.
I'm not sure why that reload is needed. As mentioned above the visible TLS terminate is immediately followed by successful TLS/1.3 use.
So what option can be used to force a minimum tls1.2 client hello package every time?
The tls-min-version=1.2 which you already used, and appears to be working. Cheers Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
