[squid-users] Squid SSL-bump error Change Cipher Spec

Amos Jeffries squid3 at treenet.co.nz
Tue Dec 4 07:25:06 UTC 2018

On 4/12/18 12:18 pm, johnr wrote:
>> What are your squid.conf settings now?
> http_port 3128 ssl-bump

You are missing a CA certificate for the bumping process to use for the
certificates it sends the clients.

Also you do not have any ssl_bump lines here. They are required to tell
Squid which of the TLS/SSL traffic to consider for handling. Without
those lines the ssl-bump on the port does nothing.

> tls_outgoing_options NO_TICKET,ALL,No_SSLv3 min-version=1.0

This should be:
 tls_outgoing_options options=NO_TICKET,ALL,No_SSLv3 min-version=1.0

That use of "ALL" there is a bit obscure. What it actually does is
*enable* all sorts of unsafe security features the library would
normally disable by default. Such as 8-bit hashes and very insecure RSA

The min-version is only required if the library defaults to actively
rejecting TLS/1.0 or such.

To let the library use its defaults you simply do not configure Squid to
require anything at all (ie remove the tls_outgoing_options directive


More information about the squid-users mailing list