[squid-users] Squid4 with GnuTLS - specify ciphers or disable protocols

Martin Hoffmann m.hoffmann.bs at gmail.com
Tue Dec 18 14:44:40 UTC 2018

Thanks that would be fine.
However meanwhile I have recompiled squid 4.4 with OpenSSL support
(added --enable-ssl
and --with-open-ssl=xxx  and removed --with-gnutls to debian/rules) just to
end with the same problems - I cannot seem to find how to disable certain
protocols or ciphers with squid 4.4.
With squid 3.3 / 3.5 it worked without problems with "https_port ...
cipher=ALL:!xxx options=NO_TLSv1,....". However despite of the docs
<http://www.squid-cache.org/Doc/config/http_port/> saying these options
should still work Squid4.4 just exits with Error:

FATAL: Unknown https_port option 'cipher=
FATAL: Unknown https_port option 'options=

This seems to be the case regardless if I compile it with OpenSSL support
or GnuTLS Support or both. Btw. How does Squid "know" which library to
chose if it's compiled with both libraries?

So what exactly am I missing here? Is the docs simply wrong? Or outdated?
Which exact keyword should set the OpenSSL ciphers? Which one should set
the GnuTLS priority strings? Is it the same keyword with different values??

I have then experimented with e.g. *tls-options=NO_TLSv1* setting in
Squid4.4 with OpenSSL but without any luck:

FATAL: Unknown TLS option 'NO_TLSv1'

So please could anyone provide a proved working example for disabling TLS
v1 or any Cipher in Squid 4.4? Either OpenSSL or GnuTLS would suffice to
bring me back on the right track.

Thanks in advance,


Am Di., 18. Dez. 2018 um 07:46 Uhr schrieb Amos Jeffries <
squid3 at treenet.co.nz>:

> On 18/12/18 3:57 am, Martin Hoffmann wrote:
> > Sorry for my late response, but I have been very busy the last weeks.
> > So I could finally find the time to patch my Squid 4.4 with your Patch
> > https://github.com/squid-cache/squid/pull/330
> >
> No worries, similar situation here.
> > However running patched squid with the following config still does
> > ignore all TLS specific settings (tls-options and tls-min-version):
> >
> > https_port <> tls-cert=/path/cert.crt
> > tls-key=/path/cert.key tls-dh=/path/dhparams.pem tls-min-version=1.2
> > accel defaultsite=some.domain.de <http://some.domain.de>
> >
> >
> > All attempts to disable certain ciphers or TLS version via
> > 'tls-options=SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2' also fails -
> > no change at all. It is as if squid totally ignores all GnuTLS specific
> > settings...? Is there still another bug regarding config?
> >
> Just the unhelpful "Hmm, thats odd". I intend to re-test all this in the
> next month or so to be able to give a better indication of what to
> expect working and see if any other regressions show up.
> Sorry,
> Amos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181218/eb9c0cb0/attachment.html>

More information about the squid-users mailing list