[squid-users] Bumping TLS 1.3

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 25 09:03:38 UTC 2018


On 25/10/18 1:21 PM, Turnbull, John wrote:
> I was wondering about bumping TLS 1.3 connections and if you think that
> will ever be supported.
> 

Probably. ETA indeterminate.

To quote myself from the docs:
  "When used properly TLS cannot be bumped".

What Squid does now is take advantage of shortcuts and workarounds many
installations use(d) to avoid trouble or administration hassles with
TLS/SSL.

Bump only works at all when those shortcuts allow Squid to impose itself
as MITM into the handshake sequence. TLS/1.3 does not change that
situation - just the code needed to do the insertion will have to be
redesigned a fair bit (already underway AFAIK).


What TLS/1.3 brings to the situation differently is hiding a lot of
details like SNI and server cert that were previously available up-front
for the admin to selectively *avoid* bumping traffic they thought was okay.

So admin will soon / now be faced with having to bump *everything* and
block those relatively few parties actually using TLS "properly".

The reality is that *splice* is the ability TLS/1.3 makes harder to do
reliably.

Amos


More information about the squid-users mailing list