[squid-users] Filtering cipher suites and certificate algorithms without man-in-the-middle

Ali Galip Çamlı ali.galip.camli at epati.com.tr
Mon Oct 14 08:51:46 UTC 2019


I've set up a firewall and proxy with pf & Squid on FreeBSD. Is it
possible to observe and filter with squid which cipher suite is selected
between end points (client and server) without changing their SSL
certificate, without mimicking server certificate?

My main goal is to avoid weak ciphers that parties agree upon. I want to
force my clients to use modern algorithms while surfing on internet
filtered by Squid.

For example, if client and server get on MD5 or SHA1, DES or RC4
included cipher suite, or on SSLv3, or, if server sends my client a
certificate signed with SHA1, or an expired certificate etc., I want to
ban the traffic.

There is a directive '*tls_outgoing_options*' in Squid and it has
'*cipher*' and '*min-version*' configurations. Do these configurations
satisfy my goal?


Note: I already asked this question in

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191014/37584928/attachment.html>

More information about the squid-users mailing list