[squid-users] sslproxy_options on squid 3.5.20

Eliezer Croitor ngtech1ltd at gmail.com
Mon Oct 12 11:31:19 UTC 2020 

Hey Nisa,

 

Just wondering, if it’s only a whitelist filtering proxy for TLS/SSL/443
Wouldn’t it be better to use a basic SNI proxy with a whitelist?

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com> 

 

From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Nisa Balakrishnan
Sent: Wednesday, October 7, 2020 4:23 AM
To: Amos Jeffries <squid3 at treenet.co.nz>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] sslproxy_options on squid 3.5.20

 

Thanks Amos.

 

I have verified that squid build is done with openssl that supports 1.2 but not 1.3.

I am worried that squid does not pass the flag set via options.

I am able to lock squid to tls 1.2 only with sslproxy_version 

 

To be a bit more clear, the squid implementation is a whitelist filtering proxy. It does not bump ssl requests. It does peek and splice on intercept.

 

On Tue, 6 Oct 2020 at 20:34, Amos Jeffries <squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz> > wrote:

On 6/10/20 1:35 pm, Nisa Balakrishnan wrote:
> Hi,
> 
> I am trying to allow access for only tls versions 1.2 and above on Squid
> 3.5.20
> 

Note that "above 1.2" are not supported by that ancient version of
Squid. Your test disables everything except SSLv1 code in the library.


> For testing purposes, I have set options in squid config as follows.
> 
> ```
> https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
> options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
> 
> sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
> ```
> 

Support for all those options depends on the version, build options, and
global config settings of the OpenSSL library being used. They are just
flags Squid passes to the library on connection setup.


FWIW 3.1.20 is over 4 years old and a huge amount of change has happened
to TLS since then. Please try to upgrade to current Squid-4 stable, or
for best SSL-Bump behaviour the current Squid-5 beta.

Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org> 
http://lists.squid-cache.org/listinfo/squid-users




 

-- 

 


  <https://email-signature.servian.com/servian_email_142x23.png> 

  <https://email-signature.servian.com/vibrato.png> 

Nisa Balakrishnan      AutomationEngineer | m:  <tel:0473942819> 0473942819 | p:  <tel:+61390813700> 03 9081 3700
Level 20, Tower 5, Collins Square, 727 Collins Street, Docklands VIC 3008

Vibrato has merged with Servian! Check out the news article  <https://www.arnnet.com.au/article/664971/servian-nabs-vibrato-multi-million-dollar-deal/> here

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201012/1e0754c4/attachment-0001.htm>

More information about the squid-users mailing list