<div dir="ltr">Hello Team,<br><br>I need some help in configuring cipher suite ordering. I am using squid with SSL configs and trying to configure the cipher order but not able to do so, I am using below sites to check my chipher ordering and its showing different ordering then what I have configured.<br><br><a href="https://www.howsmyssl.com">https://www.howsmyssl.com</a><br><a href="https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html">https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html</a><br><br>Below is my compiled squid details -<br><br>squid -v<br>Squid Cache: Version 5.0.4<br>Service Name: squid<br><br>This binary uses OpenSSL 1.1.1g FIPS  21 Apr 2020. For legal restrictions on distribution see <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a><br><br>configure options:  '--prefix=/app/squid' '--with-openssl' '--enable-ssl-crtd' '--with-filedescriptors=5000' '--enable-storeio=diskd,aufs,ufs' '--with-large-files' '--enable-useragent-log' '--enable-ltdl-convenience' '--with-tls' '--enable-http-violations'<br><br><br>OS I am using - CentOS Linux release 8.3.2011<br><br>I have tried changing the ordering as with below parameters but with no luck -<br><br>http_port 443 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/app/squid/etc/certs/ProxyBump.crt tls-key=/app/squid/etc/certs/ProxyBump.key cipher=TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!RC4:!aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS options=NO_SSLv3,SINGLE_DH_USE tls-dh=prime256v1:/app/squid/etc/certs/ProxyBump.pem<br><br>tls_outgoing_options min-version=1.2 cipher=TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:EE<br>CDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!RC4:!aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS options=NO_SSLv3,SINGLE_DH_USE<br><br>Below is the cipher list order I am expecting but it is not the case.<br><br>TLS_AES_128_GCM_SHA256<br>TLS_AES_256_GCM_SHA384<br>TLS_CHACHA20_POLY1305_SHA256<br>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256<br>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256<br>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384<br>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<br>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256<br>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256<br>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA<br>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA<br>TLS_RSA_WITH_AES_128_GCM_SHA256<br>TLS_RSA_WITH_AES_256_GCM_SHA384<br>TLS_RSA_WITH_AES_128_CBC_SHA<br>TLS_RSA_WITH_AES_256_CBC_SHA<br><br>Below is my full config file -<br><br>#<br># Recommended minimum configuration:<br>#<br>acl manager proto cache_object<br>#acl localhost src <a href="http://127.0.0.1/32">127.0.0.1/32</a><br>#acl to_localhost dst <a href="http://127.0.0.0/8">127.0.0.0/8</a><br><br># Example rule allowing access from your local networks.<br># Adapt to list your (internal) IP networks from where browsing<br># should be allowed<br>acl localnet src <a href="http://10.0.0.0/8">10.0.0.0/8</a>     # RFC1918 possible internal network<br>acl localnet src <a href="http://172.16.0.0/12">172.16.0.0/12</a>    # RFC1918 possible internal network<br>acl localnet src <a href="http://192.168.0.0/16">192.168.0.0/16</a>  # RFC1918 possible internal network<br>#acl localnet src fc00::/7       # RFC 4193 local private network range<br>#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines<br><br>acl SSL_ports port 443<br>acl SSL_ports port 8443<br>acl Safe_ports port 80               # http<br>acl Safe_ports port 21          # ftp<br>acl Safe_ports port 443          # https<br>acl Safe_ports port 70         # gopher<br>acl Safe_ports port 210               # wais<br>acl Safe_ports port 1025-65535  # unregistered ports<br>acl Safe_ports port 280           # http-mgmt<br>acl Safe_ports port 488            # gss-http<br>acl Safe_ports port 591             # filemaker<br>acl Safe_ports port 777            # multiling http<br>acl Safe_ports port 8443              # multiling http<br>acl CONNECT method CONNECT<br>acl intermediate_fetching transaction_initiator certificate-fetching<br><br>#<br># Recommended minimum Access Permission configuration:<br>#<br># Only allow cachemgr access from localhost<br>http_access allow intermediate_fetching<br>http_access allow manager localhost<br>http_access deny manager<br><br># Deny requests to certain unsafe ports<br>http_access deny !Safe_ports<br><br># Deny CONNECT to other than secure SSL ports<br>http_access deny CONNECT !SSL_ports<br><br># We strongly recommend the following be uncommented to protect innocent<br># web applications running on the proxy server who think the only<br># one who can access services on "localhost" is a local user<br>#http_access deny to_localhost<br><br>#<br># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS<br>#<br><br># Example rule allowing access from your local networks.<br># Adapt localnet in the ACL section to list your (internal) IP networks<br># from where browsing should be allowed<br>http_access allow localnet<br>http_access allow localhost<br><br># And finally deny all other access to this proxy<br>http_access allow all<br><br># Squid normally listens to port 3128<br>http_port 443 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/app/squid/etc/certs/ProxyBump.crt tls-key=/app/squid/etc/certs/ProxyBump.key cipher=TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!RC4:!aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS options=NO_SSLv3,SINGLE_DH_USE tls-dh=prime256v1:/app/squid/etc/certs/ProxyBump.pem<br><br>sslcrtd_program /app/squid/etc/libexec/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB<br>sslproxy_cert_error allow all<br>ssl_bump stare all<br>tls_outgoing_options min-version=1.2 cipher=TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:EE<br>CDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!RC4:!aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS options=NO_SSLv3,SINGLE_DH_USE<br>cache_mem 1024 MB<br># Uncomment and adjust the following to add a disk cache directory.<br>cache_dir aufs /app/squid/var/cache/squid 1024 16 256<br>shutdown_lifetime 10 seconds<br><br># Leave coredumps in the first cache dir<br>coredump_dir /app/squid/var/cache/squid<br><br>logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<A %mt %>h %Se %>sh<br>logformat extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt %Hs %<st "%{Referer}>h" "%{User-agent}>h"<br>server_persistent_connections off<br>logfile_rotate 30<br><br># Add any of your own refresh_pattern entries above these.<br>refresh_pattern ^ftp:             1440    20%     10080<br>refresh_pattern ^gopher: 1440    0%      1440<br>refresh_pattern -i (/cgi-bin/|\?) 0       0%      0<br>refresh_pattern .            0       20%     4320<br><br>cache_peer 1.2.3.4 parent 8080 0 no-query default login=abc:xyz<br>never_direct allow all<br><br>cache_log /app/squid/var/logs/cache.log<br>access_log /app/squid/var/logs/access.log<br>access_log /app/squid/var/logs/access.log.mitm extended<br>pid_filename /app/squid/var/run/squid.pid<br>max_filedescriptors 5000<br><br>Please let me know, If I am missing anything.<br><br>Thanks,<br>Vinod<br></div>