[squid-users] TLS client hello tls1.0 even with options "tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1"
Amos Jeffries
squid3 at treenet.co.nz
Mon Dec 12 15:34:32 UTC 2022
On 13/12/2022 12:34 am, Dieter Bloms wrote:
> Hello,
>
> I've enabled sslbump and configured the following outgoing tls options:
>
> tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA
>
> so for me it looks like squid must not use TLS1.1 or TLS1.0.
Correct.
> But for some web sites like
> https://www.europarl.europa.eu/doceo/document/LIBE-OJ-2022-12-12-1_EN.html
> the first request is made with an tls1.0 client hello packet.
In the pcap provided I see two TLS/1.2 attempts which are being
terminated by the server. Immediately followed by TLS/1.3 which is
succeeding and doing stuff. Other connections just go straight to
TLS/1.3 and do stuff.
FYI, if you are looking at the trace with wireshark the TLS/1.2 packets
are labeled as protocol "TLSv1" for some reason I don't know. There is a
framing layer for TLS which carries a version number "1.0", but that is
shared by all TLS/1.* versions up to and including 1.3.
> When I reload the page the proxyserver sends a tls1.2 client hello and the website is shown as expected.
I'm not sure why that reload is needed. As mentioned above the visible
TLS terminate is immediately followed by successful TLS/1.3 use.
> So what option can be used to force a minimum tls1.2 client hello package every time?
The tls-min-version=1.2 which you already used, and appears to be working.
Cheers
Amos
More information about the squid-users
mailing list