[squid-users] sslproxy_options on squid 3.5.20

Nisa Balakrishnan nisa.balakrishnan at servian.com
Wed Oct 7 01:22:56 UTC 2020


Thanks Amos.

I have verified that squid build is done with openssl that supports 1.2 but
not 1.3.
I am worried that squid does not pass the flag set via options.
I am able to lock squid to tls 1.2 only with sslproxy_version

To be a bit more clear, the squid implementation is a whitelist filtering
proxy. It does not bump ssl requests. It does peek and splice on intercept.

On Tue, 6 Oct 2020 at 20:34, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 6/10/20 1:35 pm, Nisa Balakrishnan wrote:
> > Hi,
> >
> > I am trying to allow access for only tls versions 1.2 and above on Squid
> > 3.5.20
> >
>
> Note that "above 1.2" are not supported by that ancient version of
> Squid. Your test disables everything except SSLv1 code in the library.
>
>
> > For testing purposes, I have set options in squid config as follows.
> >
> > ```
> > https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
> > options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
> >
> > sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
> > ```
> >
>
> Support for all those options depends on the version, build options, and
> global config settings of the OpenSSL library being used. They are just
> flags Squid passes to the library on connection setup.
>
>
> FWIW 3.1.20 is over 4 years old and a huge amount of change has happened
> to TLS since then. Please try to upgrade to current Squid-4 stable, or
> for best SSL-Bump behaviour the current Squid-5 beta.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 

*Nisa Balakrishnan*      AutomationEngineer | m: 0473942819 | p: 03 9081
3700 <+61390813700>
Level 20, Tower 5, Collins Square, 727 Collins Street, Docklands VIC 3008

Vibrato has merged with Servian! Check out the news article here
<https://www.arnnet.com.au/article/664971/servian-nabs-vibrato-multi-million-dollar-deal/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201007/5c2ef255/attachment.htm>


More information about the squid-users mailing list