[squid-users] Squid4 with GnuTLS - specify ciphers or disable protocols
Amos Jeffries
squid3 at treenet.co.nz
Sat Nov 10 03:35:03 UTC 2018
On 10/11/18 7:04 AM, Martin Hoffmann wrote:
> I'm using squid 4.4 as remote proxy for an https server.
> Squid 4.4 comes from Debian testing and is compiled with --with-gnutls
> (no openssl support).
>
> How can I disable certain cipher suites or protocols (like TLS 1.0) ?
>
> From my understanding I should add tls-min-version=1.1 to https_port -
> but that is ignored...?
Hmm, I think I've found a bug in there which would cause that.
> Where can I add GnuTLS priority strings to disable certain ciphers ?
>
Use "tls-options=". It is not yet documented since it has not had much
testing. For GnuTLS it should take a ':' separated list of priority strings.
FWIW: To work around the above tls-min-version bug, you should add the
priority string ":-VERS-TLS1.0" to that list of your custom ones. That
is what the min-version options should have been doing but clearly is not.
> I guess Documentation about https_port is somewhat misleading as it
> often refers to the openssl config.
Most documentation is still about OpenSSL because that is the older
feature set.
Settings that are named with "tls" prefixes have been given GnuTLS
support and should work for either library unless explicitly stated as
requiring one in particular.
HTH
Amos
More information about the squid-users
mailing list