[squid-users] TLS client hello tls1.0 even with options "tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1"

Alex Rousskov rousskov at measurement-factory.com
Mon Dec 12 14:24:13 UTC 2022 

On 12/12/22 06:34, Dieter Bloms wrote:

> I've enabled sslbump and configured the following outgoing tls options:
> 
> tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA


This probably does not apply to your specific use case, but I will state 
it here in case others readers find this exchange: If SslBump 
configuration peeks at the server, then Squid cannot honor 
tls_outgoing_options. For example, tls_outgoing_options will be ignored 
in the following configuration:

     ssl_bump peek all
     ssl_bump splice all

 > min-version=1.2 options=NO_TLSv1:NO_TLSv1_1

FYI: The min-version=1.2 directive will automatically append 
NO_TLSv1:NO_TLSv1_1 options (or their GnuTLS equivalents).


> so for me it looks like squid must not use TLS1.1 or TLS1.0.
> But for some web sites like
> https://www.europarl.europa.eu/doceo/document/LIBE-OJ-2022-12-12-1_EN.html
> the first request is made with an tls1.0 client hello packet.

You are probably being misled by Wireshark (or equivalent). Packet in 
frame 4 and packet in frame 9 in your trace use the same set of 
versions. The two packets only differ in Random, Session ID, and Key 
Exchange fields (as expected). You can confirm that by expanding TLS 
sub-trees in each packet, copying each packet dissection, and comparing 
the two saved text files.

TLS has many layers. Layers have their own versions (and their own 
version-specific ways to specify versions). The two packets in question 
use v1.0 TLS record to transmit ClientHello message (legacy version 
v1.2) to announce support for TLS v1.2 and TLS v1.3:

> TLS... Record Layer: Handshake Protocol: Client Hello
>     Content Type: Handshake (22)
>     Version: TLS 1.0 (0x0301)
>     Handshake Protocol: Client Hello
>         Version: TLS 1.2 (0x0303)
...
>         Extension: supported_versions (len=5)
>             Type: supported_versions (43)
>             Length: 5
>             Supported Versions length: 4
>             Supported Version: TLS 1.3 (0x0304)
>             Supported Version: TLS 1.2 (0x0303)


Why does Whireshark (and similar smart tools) say "TLSv1.3 Record Layer" 
only for packet 9 even though all the relevant ClientHello fields are 
identical in both packets? That happens because Wireshark is smart 
enough to look further into the TLS handshake and discover that, when it 
comes to the connection containing packet 9, the two agents have 
negotiated TLS v1.3 (starting with frame 10):

> TLSv1.3 Record Layer: Handshake Protocol: Hello Retry Request
>         Extension: supported_versions (len=2)
>             Type: supported_versions (43)
>             Length: 2
>             Supported Version: TLS 1.3 (0x0304)


You can easily confirm that Wireshark is just being (too) helpful by 
exporting frames 1-9 from the packet capture (as a pcap packet capture) 
and looking at the exported packets with Wireshark. You will then see 
"TLSv1 Record Layer" instead of "TLSv1.3 Record Layer" for packet 9, 
even though you have modified no packets, only truncated the exchange.


I do not know why the server resets the first TCP connection.


HTH,

Alex.



> When I reload the page the proxyserver sends a tls1.2 client hello and the website is shown as expected.
> 
> So what option can be used to force a minimum tls1.2 client hello package every time?
> 
> Here is a link to the pcap file with both variants: https://bloms.de/download/www.europarl.europa.eu.pcap
> 
>

More information about the squid-users mailing list