[squid-dev] TLS 1.3 0rtt

Amos Jeffries squid3 at treenet.co.nz
Wed Nov 21 13:19:02 UTC 2018

On 16/11/18 3:07 am, Marcus Kool wrote:
> After reading
> https://www.privateinternetaccess.com/blog/2018/11/supercookey-a-supercookie-built-into-tls-1-2-and-1-3/
> I am wondering if the TLS 1.3 implementation in Squid will have an
> option to disable the 0rtt feature so that user tracking is reduced.

As the article mentions the issue is also part of TLS/1.2 and the
features behind it can already be configured to disable as needed. It is
unlikely that we would remove such a useful config option any time soon.

Also, it is worth stating that this type of tracking does not work
through a TLS proxy. The TLS session between client and proxy is not
shared with server and vice versa. The proxy<->server TLS session which
it might try tracking contains multiplexed traffic from many clients so
is not a reliable per-user tracker to the server.

Things get a lot less clear when SSL-Bumping since there is a mix of
OpenSSL and Squid code doing things and actions like peek/stare/splice
may require side effects of preventing TLS feature removal/disable.

It is an admin choice how and when to use such actions though so again
already configurable if one understand what those actions do rather than
just blindly throwing copy-paste config settings at the proxy until
something "works".


More information about the squid-dev mailing list