[squid-users] Regarding Squid SSL cipher filtering

[Alex Rousskov]

On 2/1/19 4:04 PM, john doe wrote:

> I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers
> allowed.

> I see that "sslproxy_cipher" config property would allow me to do it.
> But what is unclear to me is whether just setting that list is enough or
> it needs SSL-Bump too?
> Pardon my ignorance around this. I'm not sure if Squid has access to the
> cipher list.

If you want to restrict ciphers used by clients establishing a TLS
connection with the origin server (via a CONNECT tunnel through Squid)
but you do not want to bump client-origin traffic that uses permitted
ciphers, then you have several options, including:

* Deny access to clients that offer banned ciphers to servers. Requires
either a silent TCP connection termination or bumping to serve an error
page. Requires TLS Client Hello analysis that is only supported in v4+
(via an external ACL and %>handshake).

* Deny access to servers that select banned ciphers (from the list of
all ciphers offered by clients). Requires either a silent TCP connection
termination or bumping to serve an error page. Requires TLS Server Hello
analysis that is only supported in v4+ (via an external ACL and
%ssl::<negotiated_cipher).

For bumped connections, there is also %ssl::>negotiated_cipher.

Sorry, I ran out of time to polish and detail the above further, but
others on the list can help you if you need more information.


Cheers,

Alex.