[squid-users] sslproxy_options on squid 3.5.20

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 6 09:27:54 UTC 2020


On 6/10/20 1:35 pm, Nisa Balakrishnan wrote:
> Hi,
> 
> I am trying to allow access for only tls versions 1.2 and above on Squid
> 3.5.20
> 

Note that "above 1.2" are not supported by that ancient version of
Squid. Your test disables everything except SSLv1 code in the library.


> For testing purposes, I have set options in squid config as follows.
> 
> ```
> https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
> options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
> 
> sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
> ```
> 

Support for all those options depends on the version, build options, and
global config settings of the OpenSSL library being used. They are just
flags Squid passes to the library on connection setup.


FWIW 3.1.20 is over 4 years old and a huge amount of change has happened
to TLS since then. Please try to upgrade to current Squid-4 stable, or
for best SSL-Bump behaviour the current Squid-5 beta.

Amos


More information about the squid-users mailing list