[squid-users] Resolved: Peek-and-splice not working when mixing TLS1.3 servers and TLS1.2 clients

Alex Rousskov rousskov at measurement-factory.com
Sat Dec 7 15:10:48 UTC 2019


On 12/7/19 8:54 AM, Nikolaus wrote:

> https://github.com/nthuemmel/squid/tree/tls_downgrade_compatibility
> 
> I would of course be glad if the fix could be merged into the main squid
> repository. If you are a dev, please let me know what you think and if I
> should open a pull request.


FYI: There are two other ongoing and independent efforts related to TLS
v1.3 version handling:

[1] Fix stalled SslBump-peeked connections from older browsers
    https://github.com/measurement-factory/squid/pull/60/

[2] Bug 5011: TLS 1.3 connection get stuck when parsing ServerHello
    https://bugs.squid-cache.org/show_bug.cgi?id=5011

My team is responsible for [1]. Our unofficial (and currently very
unpolished) code should be ready for the official review in a couple of
weeks. AFAICT from a quick look through your changes, we are working on
the same or a very similar problem. If you can test [1] in your
environment, please let me know whether it works in your environment.

I am not sure what is the best way to minimize further duplication of
effort here. Here is one option: If [1] works in your environment, and
you would rather avoid porting your changes to master, then perhaps you
can help with reviewing and backporting [1] (after it is officially
reviewed) to v4 instead.

If you decide to improve your branch towards its official submission,
please see https://wiki.squid-cache.org/MergeProcedure and keep in mind
that you will need to port your changes to master. Please also consider
_not_ storing the entire array of parsed supported versions if storing
just a couple of them (or storing their implications) is sufficient.
Please also note that SSL_set_max_proto_version() is not available in
OpenSSL v1.0. If Squid still supports that older OpenSSL version, it
would be best to avoid dropping that support because of this change.

If you have technical/development comments regarding [1], they are
probably best handled as pull request comments on GitHub (or a
discussion on the squid-dev@ mailing list). The squid-users@ mailing
list is not a good place to discuss code.


Thank you,

Alex.


More information about the squid-users mailing list