[squid-dev] [RFC] removal of SSL version options

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 15 12:17:00 UTC 2015


Squid currently has several "version" options to set the SSL/TLS
protocol version.

  http(s)_port ... version=
  cache_peer ... sslversion
  sslproxy_version ...

However,

1) the option configures version X-only. Which does not follow with
current best practice of most other TLS enabled software offering a
minimum-version option for compliance with TLS version auto-upgrade
mechanisms.

This can result in Squid installations being stuck unnecessarily on
outdated protocol versions with insecure ciphers.


2) these options overlap with the related ssloptions= values.

These can easily be configured to conflict. Such as version setting
TLSv1.0-only and ssl-options enabling other versions with v1.0
forbidden. The order of security context setup prevents this being a
major problem, but it can result in security doing things the admin does
not exactly expect.


3) the http(s)_port option is also easily confused with protocol= since
it lacks a "ssl" prefix seen elsewhere.


I would like to eventually move towards having a TLS minimum-version
parameter like other software. Which means we at least need to begin
clearing up this problem ASAP.

Given that the ssloptions= parameters can be used to reach the same
configuration I propose that we simply remove the current sslversion
options.

Opinions?

Amos


More information about the squid-dev mailing list