[squid-users] Squid 5: server_cert_fingerprint not working fine...
Amos Jeffries
squid3 at treenet.co.nz
Sat Nov 19 15:50:26 UTC 2022
On 19/11/2022 2:55 am, UnveilTech - Support wrote:
> Hi Amos,
>
> We have tested with a "ssl_bump bump" ("ssl_bump all" and "ssl_bump bump sslstep1"), it does not solve the problem.
> According to Alex, we can also confirm it's a bug with Squid 5.x and TLS 1.3.
Okay.
> It seems Squid is only compatible with TLS 1.2, it's not good for the future...
One bug (or lack of ability) does not make the entire protocol
"incompatible". It only affects people trying to do the particular buggy
action.
Unfortunately for you (and others) it happens to be accessing this
server cert fingerprint.
I/we have been clear from the beginning that *when used properly*
TLS/SSL cannot be "bump"ed - that is true for all versions of TLS and
SSL before it. In that same "bump" use-case the server does not provide
*any* details, it just rejects the proxy attempted connection. In some
paranoid security environments the server can reject even for "splice"
when the clientHello is passed on unchanged by the proxy. HTTPS use on
the web is typically *neither* of those "proper" setups so SSL-Bump
"bump" in general works and "splice" almost always.
Cheers
Amos
More information about the squid-users
mailing list