On 2024-06-10 08:10, Dieter Bloms wrote:
I have activated ssl_bump and must activate the UNSAFE_LEGACY_RENEGOTIATION option to enable access to https://cisco.com.
The web server does not support secure renegotiation.
I have tried to set the following options, but squid does not recognize any of them:
tls_outgoing_options options=UNSAFE_LEGACY_RENEGOTIATION
or
tls_outgoing_options options=ALLOW_UNSAFE_LEGACY_RENEGOTIATION
and
tls_outgoing_options options=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
but no matter which syntax I use, I always get the message during squid-k parse:
“2024/06/10 14:08:17| ERROR: Unknown TLS option ALLOW_UNSAFE_LEGACY_RENEGOTIATION”
How can I activate secure renegotiation for squid?
To set an OpenSSL connection option that Squid does not know by name,
use that option hex value (based on your OpenSSL sources). For example:
# SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is defined to be
# SSL_OP_BIT(18) which is equal to (1 << 18) or 0x40000 in hex.
tls_outgoing_options options=0x40000
Disclaimer: I have not tested the above and do not know whether adding
that option achieves what you want to achieve.
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
