<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">When testing like so: openssl s_client -connect <a href="http://google.com:443">google.com:443</a><br></div><div>I get tls1.2 back</div><div><br></div><div>Via mobile chrome browser (android) and the proxy I get tls1.3<br></div><div>Truly don't understand :)<br><br></div><div>----- Some output -----</div><div>Service Name: squid<br>This binary uses OpenSSL 1.1.1 11 Sep 2018.</div><div><br></div><div>dpkg --list |grep ssl<br>ii libgnutls-openssl27:amd64 3.6.4-2ubuntu1.1 amd64 GNU TLS library - OpenSSL wrapper<br>ii libio-socket-ssl-perl 2.060-3 all Perl module implementing object oriented interface to SSL sockets<br>ii libnet-smtp-ssl-perl 1.04-1 all Perl module providing SSL support to Net::SMTP<br>ii libnet-ssleay-perl 1.85-2ubuntu2 amd64 Perl module for Secure Sockets Layer (SSL)<br>ii libssl-dev:amd64 1.1.1-1ubuntu2.1 amd64 Secure Sockets Layer toolkit - development files<br>ii libssl1.0.0:amd64 1.0.2n-1ubuntu6.2 amd64 Secure Sockets Layer toolkit - shared libraries<br>ii libssl1.1:amd64 1.1.1-1ubuntu2.1 amd64 Secure Sockets Layer toolkit - shared libraries<br>ii libxmlsec1-openssl:amd64 1.2.26-3 amd64 Openssl engine for the XML security library<br>ii libzstd1:amd64 1.3.5+dfsg-1ubuntu1 amd64 fast lossless compression algorithm<br>ii openssl 1.1.1-1ubuntu2.1 amd64 Secure Sockets Layer toolkit - cryptographic utility<br>ii perl-openssl-defaults:amd64 3build1 amd64 version compatibility baseline for Perl OpenSSL packages<br>ii python3-openssl 18.0.0-1 all Python 3 wrapper around the OpenSSL library<br>rc ssl-cert 1.0.39 all simple debconf wrapper for OpenSSL<br><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 28, 2019 at 1:13 AM Stilyan Georgiev <<a href="mailto:stilyangeorgiev@gmail.com">stilyangeorgiev@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Thanks for the input Alex.</div><div>I had many, many issues compiling openssl without tls1.3. At first i tried doing it side by side with version I had in OS but failed miserably, with squid continuing to use the OS package.<br></div><div>Eventually I release upgraded the OS and now have the 1.1.1-1 package from repo, rebuilt it with no-tls1_3 in CONFARGS</div><div><br></div><div>And to my amazement squid continues serving tls1.3 :)</div><div><br></div><div>Any suggestions on to how to allow tls1.1 and tls1.2 only are very welcome. Maybe tls_outgoing_options cipher= ... <br><br></div><div>Thanks in advance for helping out!<br></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 26, 2019 at 9:10 PM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2/26/19 4:55 AM, Stilyan Georgiev wrote:<br>
<br>
> Squid 4.5 with openssl support here.<br>
> SSL bumping can't obtain SNI / cert domain to perform filtering when<br>
> tls1.3 is used.<br>
> I want to disable support for tls1.3 in config but don't find way to do<br>
> so. There's the outdated sslproxy_options config directive which doesn't<br>
> appear to be supported in 4.5<br>
> <br>
> The goal is - allow everything , besides tls1.3<br>
<br>
Good question!<br>
<br>
TLS v1.3 clients that use "Middlebox Compatibility Mode", including<br>
OpenSSL s_client and popular browsers, pretend to be TLS v1.2 clients<br>
that attempt to restore a non-existent TLS session. Squid probably does<br>
not have ACLs that can detect those lies. However, if you think you can<br>
detect them, you can pass TLS Hello to your external ACL via the<br>
%>handshake logformat code.<br>
<br>
If you are asking whether Squid can downgrade TLS v1.3 to TLS v1.2, then<br>
I suspect the answer is "yes, but only if you bump the client connection<br>
first": A peeking Squid cannot negotiate a different TLS version with<br>
the client. If TLS downgrade is what you want, you can probably use an<br>
OpenSSL version that does not support TLS v1.3. There may also be an<br>
OpenSSL v1.1.1 configuration option to turn TLS v1.3 support off, but I<br>
have not research that.<br>
<br>
Finally, there may be a bug in earlier versions of Squid that breaks<br>
peeking at TLS v1.3 servers during step2. Staring works. We have not<br>
tested Squid v4.5 though. Please note that peeking at TLS v1.3 servers<br>
is largely pointless because useful information in TLS v1.3 Server Hello<br>
is encrypted.<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail-m_1445198318667670190gmail_signature"><div><font face="tahoma,sans-serif">Yours Sincerely,</font></div><div><font face="tahoma,sans-serif"></font> </div><div><strong><font face="tahoma,sans-serif">Stilyan Georgiev</font></strong></div><div> </div></div>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div><font face="tahoma,sans-serif">Yours Sincerely,</font></div><div><font face="tahoma,sans-serif"></font> </div><div><strong><font face="tahoma,sans-serif">Stilyan Georgiev</font></strong></div><div> </div></div>