<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p style="margin: 0px 0px 1em; padding: 0px; border: 0px;
      font-style: normal; font-variant-ligatures: normal;
      font-variant-caps: normal; font-variant-numeric: inherit;
      font-variant-east-asian: inherit; font-weight: 400; font-stretch:
      inherit; line-height: inherit; font-family: Arial, "Helvetica
      Neue", Helvetica, sans-serif; font-size: 15px;
      vertical-align: baseline; box-sizing: inherit; clear: both; color:
      rgb(36, 39, 41); letter-spacing: normal; orphans: 2; text-align:
      left; text-indent: 0px; text-transform: none; white-space: normal;
      widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255); text-decoration-style:
      initial; text-decoration-color: initial;">Hi,<br>
    </p>
    <p style="margin: 0px 0px 1em; padding: 0px; border: 0px;
      font-style: normal; font-variant-ligatures: normal;
      font-variant-caps: normal; font-variant-numeric: inherit;
      font-variant-east-asian: inherit; font-weight: 400; font-stretch:
      inherit; line-height: inherit; font-family: Arial, "Helvetica
      Neue", Helvetica, sans-serif; font-size: 15px;
      vertical-align: baseline; box-sizing: inherit; clear: both; color:
      rgb(36, 39, 41); letter-spacing: normal; orphans: 2; text-align:
      left; text-indent: 0px; text-transform: none; white-space: normal;
      widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255); text-decoration-style:
      initial; text-decoration-color: initial;">I've set up a firewall
      and proxy with pf & Squid on FreeBSD. Is it possible to
      observe and filter with squid which cipher suite is selected
      between end points (client and server) without changing their SSL
      certificate, without mimicking server certificate?</p>
    <p style="margin: 0px 0px 1em; padding: 0px; border: 0px;
      font-style: normal; font-variant-ligatures: normal;
      font-variant-caps: normal; font-variant-numeric: inherit;
      font-variant-east-asian: inherit; font-weight: 400; font-stretch:
      inherit; line-height: inherit; font-family: Arial, "Helvetica
      Neue", Helvetica, sans-serif; font-size: 15px;
      vertical-align: baseline; box-sizing: inherit; clear: both; color:
      rgb(36, 39, 41); letter-spacing: normal; orphans: 2; text-align:
      left; text-indent: 0px; text-transform: none; white-space: normal;
      widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255); text-decoration-style:
      initial; text-decoration-color: initial;">My main goal is to avoid
      weak ciphers that parties agree upon. I want to force my clients
      to use modern algorithms while surfing on internet filtered by
      Squid.</p>
    <p style="margin: 0px 0px 1em; padding: 0px; border: 0px;
      font-style: normal; font-variant-ligatures: normal;
      font-variant-caps: normal; font-variant-numeric: inherit;
      font-variant-east-asian: inherit; font-weight: 400; font-stretch:
      inherit; line-height: inherit; font-family: Arial, "Helvetica
      Neue", Helvetica, sans-serif; font-size: 15px;
      vertical-align: baseline; box-sizing: inherit; clear: both; color:
      rgb(36, 39, 41); letter-spacing: normal; orphans: 2; text-align:
      left; text-indent: 0px; text-transform: none; white-space: normal;
      widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255); text-decoration-style:
      initial; text-decoration-color: initial;">For example, if client
      and server get on MD5 or SHA1, DES or RC4 included cipher suite,
      or on SSLv3, or, if server sends my client a certificate signed
      with SHA1, or an expired certificate etc., I want to ban the
      traffic.</p>
    <p style="margin: 0px 0px 1em; padding: 0px; border: 0px;
      font-style: normal; font-variant-ligatures: normal;
      font-variant-caps: normal; font-variant-numeric: inherit;
      font-variant-east-asian: inherit; font-weight: 400; font-stretch:
      inherit; line-height: inherit; font-family: Arial, "Helvetica
      Neue", Helvetica, sans-serif; font-size: 15px;
      vertical-align: baseline; box-sizing: inherit; clear: both; color:
      rgb(36, 39, 41); letter-spacing: normal; orphans: 2; text-align:
      left; text-indent: 0px; text-transform: none; white-space: normal;
      widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255); text-decoration-style:
      initial; text-decoration-color: initial;">There is a directive '<strong
        style="margin: 0px; padding: 0px; border: 0px; font-style:
        inherit; font-variant: inherit; font-weight: bold; font-stretch:
        inherit; line-height: inherit; font-family: inherit; font-size:
        15px; vertical-align: baseline; box-sizing: inherit;">tls_outgoing_options</strong>'
      in Squid and it has '<strong style="margin: 0px; padding: 0px;
        border: 0px; font-style: inherit; font-variant: inherit;
        font-weight: bold; font-stretch: inherit; line-height: inherit;
        font-family: inherit; font-size: 15px; vertical-align: baseline;
        box-sizing: inherit;">cipher</strong>' and '<strong
        style="margin: 0px; padding: 0px; border: 0px; font-style:
        inherit; font-variant: inherit; font-weight: bold; font-stretch:
        inherit; line-height: inherit; font-family: inherit; font-size:
        15px; vertical-align: baseline; box-sizing: inherit;">min-version</strong>'
      configurations. Do these configurations satisfy my goal?</p>
    <p style="margin: 0px 0px 1em; padding: 0px; border: 0px;
      font-style: normal; font-variant-ligatures: normal;
      font-variant-caps: normal; font-variant-numeric: inherit;
      font-variant-east-asian: inherit; font-weight: 400; font-stretch:
      inherit; line-height: inherit; font-family: Arial, "Helvetica
      Neue", Helvetica, sans-serif; font-size: 15px;
      vertical-align: baseline; box-sizing: inherit; clear: both; color:
      rgb(36, 39, 41); letter-spacing: normal; orphans: 2; text-align:
      left; text-indent: 0px; text-transform: none; white-space: normal;
      widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255); text-decoration-style:
      initial; text-decoration-color: initial;">Sincerely,<br>
      Ali</p>
    <p style="margin: 0px 0px 1em; padding: 0px; border: 0px;
      font-style: normal; font-variant-ligatures: normal;
      font-variant-caps: normal; font-variant-numeric: inherit;
      font-variant-east-asian: inherit; font-weight: 400; font-stretch:
      inherit; line-height: inherit; font-family: Arial, "Helvetica
      Neue", Helvetica, sans-serif; font-size: 15px;
      vertical-align: baseline; box-sizing: inherit; clear: both; color:
      rgb(36, 39, 41); letter-spacing: normal; orphans: 2; text-align:
      left; text-indent: 0px; text-transform: none; white-space: normal;
      widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255); text-decoration-style:
      initial; text-decoration-color: initial;">Note: I already asked
      this question in <a
href="https://serverfault.com/questions/987463/filtering-cipher-suites-and-certificate-algorithms-without-man-in-the-middle">https://serverfault.com/questions/987463/filtering-cipher-suites-and-certificate-algorithms-without-man-in-the-middle</a>
      &  <a
href="https://crypto.stackexchange.com/questions/74936/observing-cipher-suites-and-certificate-algorithms-without-man-in-the-middle">https://crypto.stackexchange.com/questions/74936/observing-cipher-suites-and-certificate-algorithms-without-man-in-the-middle</a></p>
  </body>
</html>