[squid-users] ssl-bump splice on unsupported ciphers

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 9 01:23:01 UTC 2015

On 9/12/2015 1:59 p.m., Michael Hendrie wrote:
> Hi All,
> I've read a few articles that indicate squid-3.5 and below doesn't support ssl-bump'ing ECDHE ciphers.
> Is this correct?

That is correct.

> If so, is it possible to create/structure acl and ssl-bump rules to splice on unsupported ciphers? 
> I've looked through the available ACL options and doesn't seem to be possible unless I'm missing something.

Good question. The workaround that comes to mind is using the user_cert
type ACL to match values in the certificate.

But doing so by custom OID is also only available in Squid-4 and later.
So if ciphers is not one of the specific fields listed that 3.5 and
older can match, then AFAIK you are out of luck.

FYI: Squid-4 is available, all that "beta" means is that the new code
has not yet had much testing. It works fine for some of us in
production. You may be able to use it also but some extra care is
recommended to check it works well enough before rolling it out.

... or in short: YMMV.


More information about the squid-users mailing list