[squid-users] Disable tls1.3 support , can't get SNI / cert details when it's used
Stilyan Georgiev
stilyangeorgiev at gmail.com
Wed Feb 27 23:13:16 UTC 2019
Thanks for the input Alex.
I had many, many issues compiling openssl without tls1.3. At first i tried
doing it side by side with version I had in OS but failed miserably, with
squid continuing to use the OS package.
Eventually I release upgraded the OS and now have the 1.1.1-1 package from
repo, rebuilt it with no-tls1_3 in CONFARGS
And to my amazement squid continues serving tls1.3 :)
Any suggestions on to how to allow tls1.1 and tls1.2 only are very welcome.
Maybe tls_outgoing_options cipher= ...
Thanks in advance for helping out!
On Tue, Feb 26, 2019 at 9:10 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> On 2/26/19 4:55 AM, Stilyan Georgiev wrote:
>
> > Squid 4.5 with openssl support here.
> > SSL bumping can't obtain SNI / cert domain to perform filtering when
> > tls1.3 is used.
> > I want to disable support for tls1.3 in config but don't find way to do
> > so. There's the outdated sslproxy_options config directive which doesn't
> > appear to be supported in 4.5
> >
> > The goal is - allow everything , besides tls1.3
>
> Good question!
>
> TLS v1.3 clients that use "Middlebox Compatibility Mode", including
> OpenSSL s_client and popular browsers, pretend to be TLS v1.2 clients
> that attempt to restore a non-existent TLS session. Squid probably does
> not have ACLs that can detect those lies. However, if you think you can
> detect them, you can pass TLS Hello to your external ACL via the
> %>handshake logformat code.
>
> If you are asking whether Squid can downgrade TLS v1.3 to TLS v1.2, then
> I suspect the answer is "yes, but only if you bump the client connection
> first": A peeking Squid cannot negotiate a different TLS version with
> the client. If TLS downgrade is what you want, you can probably use an
> OpenSSL version that does not support TLS v1.3. There may also be an
> OpenSSL v1.1.1 configuration option to turn TLS v1.3 support off, but I
> have not research that.
>
> Finally, there may be a bug in earlier versions of Squid that breaks
> peeking at TLS v1.3 servers during step2. Staring works. We have not
> tested Squid v4.5 though. Please note that peeking at TLS v1.3 servers
> is largely pointless because useful information in TLS v1.3 Server Hello
> is encrypted.
>
>
> HTH,
>
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
Yours Sincerely,
*Stilyan Georgiev*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190228/dac1357d/attachment.html>
More information about the squid-users
mailing list