[squid-users] will multiple tls_outgoing_options lines be combined?
Amos Jeffries
squid3 at treenet.co.nz
Tue Jul 3 12:37:22 UTC 2018
On 03/07/18 23:23, Amish wrote:
> Hello,
>
> I am trying new options in squid 4.1.
>
> For easy readability can I use tls_outgoing_options multiple times in
> squid.conf?
>
Yes. Provided the options specified on each are different.
> Like this: (Tips from
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit)
>
> tls_outgoing_options cafile=/etc/ssl/cert.pem
> tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
> tls_outgoing_options
> cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> Will it merge all 3 as if mentioned on 1 single line?
The above will, yes.
> Or will it pick only last (or first) option and internal defaults for rest?
Each option in the directive replaces previous values of that same option.
For example;
tls_outgoing_options cipher=A cipher=B
is the same as:
tls_outgoing_options cipher=B
Since above you are setting different named option on every line, your
setup is equivalent to all the options being on one line.
However, Squid understands line wrapping. So this question is not very
useful. You could simplify even further like this:
tls_outgoing_options \
cafile=/etc/ssl/cert.pem \
options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE \
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:....
>
> I am not an SSL/TLS expert so I do not know how to test this i.e. how to
> know if its really working.
Then its a good sign you are asking for help. TLS is a pit of troubles
for the unaware. To successfully manage use of SSL-Bump features you
need at least an understanding of how the TLS protocol operates.
Note that is *not* the crypto, just how the messaging works.
This directive controls what capabilities Squid lets your OpenSSL
library advertise in clientHello and TLS extension messages sent to
servers (not cache_peer) during a TLS handshake.
So to debug use something like wireshark to look at the packets and see
what the handshake contains.
Amos
More information about the squid-users
mailing list