<div dir="ltr">Hi,<div><br></div><div>I am trying to allow access for only tls versions 1.2 and above on Squid 3.5.20<br><br>For testing purposes, I have set options in squid config as follows.<br><br>```<br>https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2<br><br>sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2<br>```<br><br>I test using curl <br>```<br>curl -v <a href="https://api.github.com/users/xyz">https://api.github.com/users/xyz</a><br>```<br><br>I am able to access github and the ssl connection is tls 1.2<br><br>```<br>*   Trying 13.236.14.80...<br>* TCP_NODELAY set<br>* Connected to <a href="http://api.github.com">api.github.com</a> (13.236.14.80) port 443 (#0)<br>* ALPN, offering h2<br>* ALPN, offering http/1.1<br>* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH<br>* successfully set certificate verify locations:<br>*   CAfile: /etc/pki/tls/certs/ca-bundle.crt<br>  CApath: none<br>* TLSv1.2 (OUT), TLS header, Certificate Status (22):<br>* TLSv1.2 (OUT), TLS handshake, Client hello (1):<br>* TLSv1.2 (IN), TLS handshake, Server hello (2):<br>* TLSv1.2 (IN), TLS handshake, Certificate (11):<br>* TLSv1.2 (IN), TLS handshake, Server key exchange (12):<br>* TLSv1.2 (IN), TLS handshake, Server finished (14):<br>* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):<br>* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):<br>* TLSv1.2 (OUT), TLS handshake, Finished (20):<br>* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):<br>* TLSv1.2 (IN), TLS handshake, Finished (20):<br>* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256<br>* ALPN, server accepted to use http/1.1<br>* Server certificate:<br>*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.<a href="http://github.com">github.com</a><br>*  start date: Jun 22 00:00:00 2020 GMT<br>*  expire date: Aug 17 12:00:00 2022 GMT<br>*  subjectAltName: host "<a href="http://api.github.com">api.github.com</a>" matched cert's "*.<a href="http://github.com">github.com</a>"<br>*  issuer: C=US; O=DigiCert Inc; OU=<a href="http://www.digicert.com">www.digicert.com</a>; CN=DigiCert SHA2 High Assurance Server CA<br>*  SSL certificate verify ok.<br>> GET /users/xyz HTTP/1.1<br>> Host: <a href="http://api.github.com">api.github.com</a><br>> User-Agent: curl/7.61.1<br>> Accept: */*<br>><br>< HTTP/1.1 200 OK<br>< date: Mon, 05 Oct 2020 22:57:40 GMT<br>< content-type: application/json; charset=utf-8<br>< server: GitHub.com<br>< status: 200 OK<br>< cache-control: public, max-age=60, s-maxage=60<br>< vary: Accept, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding<br>< etag: W/"3d107946387d86803650c009a9371dc5efd5ba2d670e838c30af583505243e83"<br>< last-modified: Wed, 23 May 2018 19:43:26 GMT<br>< x-github-media-type: github.v3; format=json<br>< access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset<br>< access-control-allow-origin: *<br>< strict-transport-security: max-age=31536000; includeSubdomains; preload<br>< x-frame-options: deny<br>< x-content-type-options: nosniff<br>< x-xss-protection: 1; mode=block<br>< referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin<br>< content-security-policy: default-src 'none'<br>< X-Ratelimit-Limit: 60<br>< X-Ratelimit-Remaining: 59<br>< X-Ratelimit-Reset: 1601942260<br>< X-Ratelimit-Used: 1<br>< Accept-Ranges: bytes<br>< Content-Length: 1220<br>< X-GitHub-Request-Id: A62E:3674:BB684:D9799:5F7BA4E4<br><<br>{<br>  "login": "xyz",<br>  "id": 14513,<br>  "node_id": "MDQ6VXNlcjE0NTEz",<br>  "avatar_url": "<a href="https://avatars1.githubusercontent.com/u/14513?v=4">https://avatars1.githubusercontent.com/u/14513?v=4</a>",<br>  "gravatar_id": "",<br>  "url": "<a href="https://api.github.com/users/xyz">https://api.github.com/users/xyz</a>",<br>  "html_url": "<a href="https://github.com/xyz">https://github.com/xyz</a>",<br>  "followers_url": "<a href="https://api.github.com/users/xyz/followers">https://api.github.com/users/xyz/followers</a>",<br>  "following_url": "<a href="https://api.github.com/users/xyz/following{/other_user}">https://api.github.com/users/xyz/following{/other_user}</a>",<br>  "gists_url": "<a href="https://api.github.com/users/xyz/gists{/gist_id}">https://api.github.com/users/xyz/gists{/gist_id}</a>",<br>  "starred_url": "<a href="https://api.github.com/users/xyz/starred{/owner}{/repo}">https://api.github.com/users/xyz/starred{/owner}{/repo}</a>",<br>  "subscriptions_url": "<a href="https://api.github.com/users/xyz/subscriptions">https://api.github.com/users/xyz/subscriptions</a>",<br>  "organizations_url": "<a href="https://api.github.com/users/xyz/orgs">https://api.github.com/users/xyz/orgs</a>",<br>  "repos_url": "<a href="https://api.github.com/users/xyz/repos">https://api.github.com/users/xyz/repos</a>",<br>  "events_url": "<a href="https://api.github.com/users/xyz/events{/privacy}">https://api.github.com/users/xyz/events{/privacy}</a>",<br>  "received_events_url": "<a href="https://api.github.com/users/xyz/received_events">https://api.github.com/users/xyz/received_events</a>",<br>  "type": "User",<br>  "site_admin": false,<br>  "name": "xyz",<br>  "company": null,<br>  "blog": "",<br>  "location": null,<br>  "email": null,<br>  "hireable": null,<br>  "bio": null,<br>  "twitter_username": null,<br>  "public_repos": 1,<br>  "public_gists": 0,<br>  "followers": 8,<br>  "following": 1,<br>  "created_at": "2008-06-21T11:58:01Z",<br>  "updated_at": "2018-05-23T19:43:26Z"<br>}<br>* Connection #0 to host <a href="http://api.github.com">api.github.com</a> left intact<br>```<br>Despite setting no tls 1.2, I am able to successfully make a connection.<br>What am I missing here?<br>Any help much appreciated.<br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><br style="color:rgb(136,136,136)"><div dir="ltr" style="color:rgb(136,136,136)"><div dir="ltr"><div dir="ltr"><table width="100%" style="margin:6px 0px;padding:4px;border-top:1px dotted rgb(153,153,153);border-bottom:1px dotted rgb(153,153,153);font-family:"Lucida Grande",Verdana,Arial,sans-serif;font-size:11px;color:rgb(96,111,120);min-width:530px"><tbody><tr><td width="26" style="padding:0px 4px 0px 0px"><img src="https://email-signature.servian.com/servian_email_142x23.png"></td><td width="130px"><img src="https://email-signature.servian.com/vibrato.png"></td><td><font color="#f48043"><b>Nisa Balakrishnan</b></font>      AutomationEngineer | m: <a href="tel:0473942819" style="color:rgb(17,85,204)" target="_blank">0473942819</a> | p: <a href="tel:+61390813700" style="color:rgb(17,85,204)" target="_blank">03 9081 3700</a><br>Level 20, Tower 5, Collins Square, 727 Collins Street, Docklands VIC 3008</td></tr></tbody></table><p style="margin:6px 0px;padding:4px;font-family:"Lucida Grande",Verdana,Arial,sans-serif;font-size:11px;color:rgb(96,111,120)">Vibrato has merged with Servian! Check out the news article <a href="https://www.arnnet.com.au/article/664971/servian-nabs-vibrato-multi-million-dollar-deal/" style="color:rgb(17,85,204)" target="_blank">here</a></p></div></div></div></div></div></div></div></div></div>