<div dir="ltr">I have been trying to make this work but still no luck, Any help is appreciated.<div><br></div><div>Thanks,</div><div>Vinod</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 12, 2021 at 4:34 PM vinod mg <<a href="mailto:vinod9987@gmail.com">vinod9987@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Amos,<div><br></div><div>Thanks for responding, really appreciate the quick response.</div><div><br></div><div>So yes if squid can mimic exactly what client is sending that all I am looking for, but here its not the case, as you can see below example squid is re-arranging the cipher list which I do not want. </div><div><br></div><div>Below is the default cipher list order I got with plain firefox browsing <a href="https://www.howsmyssl.com/" rel="noreferrer" target="_blank">howsmyssl.com</a> without proxy -</div><div><ul>
<li>TLS_AES_128_GCM_SHA256</li>
<li>TLS_CHACHA20_POLY1305_SHA256</li>
<li>TLS_AES_256_GCM_SHA384</li>
<li>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</li>
<li>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</li>
<li>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</li>
<li>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</li>
<li>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</li>
<li>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</li>
<li>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</li>
<li>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</li>
<li>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</li>
<li>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</li>
<li>TLS_RSA_WITH_AES_128_GCM_SHA256</li>
<li>TLS_RSA_WITH_AES_256_GCM_SHA384</li>
<li>TLS_RSA_WITH_AES_128_CBC_SHA</li>
<li>TLS_RSA_WITH_AES_256_CBC_SHA</li>
<li>TLS_RSA_WITH_3DES_EDE_CBC_SHA</li></ul></div><div>Below is the cipher list order I got with same firefox browsing <a href="https://www.howsmyssl.com/" rel="noreferrer" target="_blank">howsmyssl.com</a> with <span style="color:rgb(32,33,36);font-family:arial,sans-serif">explicit</span><b style="color:rgb(32,33,36);font-family:arial,sans-serif"> </b>squid proxy configured -</div><div><ul><li>TLS_AES_256_GCM_SHA384</li>
<li>TLS_CHACHA20_POLY1305_SHA256</li>
<li>TLS_AES_128_GCM_SHA256</li>
<li>TLS_AES_128_CCM_SHA256</li>
<li>TLS_RSA_WITH_AES_256_CBC_SHA</li>
<li>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</li>
<li>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</li>
<li>TLS_RSA_WITH_AES_256_GCM_SHA384</li>
<li>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</li>
<li>TLS_RSA_WITH_AES_128_CBC_SHA</li>
<li>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</li>
<li>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</li>
<li>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</li>
<li>TLS_RSA_WITH_3DES_EDE_CBC_SHA</li>
<li>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</li>
<li>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</li>
<li>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</li>
<li>TLS_RSA_WITH_AES_128_GCM_SHA256</li>
<li>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</li>
<li>TLS_EMPTY_RENEGOTIATION_INFO_SCSV</li></ul><div>I have tried removing "cipher=" from both "tls_outgoing_options" and "http_port" but still cipher list sent by client is changed while its passing via squid, Please let me know if I am missing anything. </div><div><br></div><div>Thanks,</div></div><div>Vinod</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 12, 2021 at 3:20 PM Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 12/01/21 5:44 pm, vinod mg wrote:<br>
> Hello Team,<br>
> <br>
> I need some help in configuring cipher suite ordering. I am using squid <br>
> with SSL configs and trying to configure the cipher order but not able <br>
> to do so, I am using below sites to check my chipher ordering and its <br>
> showing different ordering then what I have configured.<br>
> <br>
> <a href="https://www.howsmyssl.com" rel="noreferrer" target="_blank">https://www.howsmyssl.com</a> <<a href="https://www.howsmyssl.com" rel="noreferrer" target="_blank">https://www.howsmyssl.com</a>><br>
> <a href="https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html" rel="noreferrer" target="_blank">https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html</a> <br>
> <<a href="https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html" rel="noreferrer" target="_blank">https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html</a>><br>
> <br>
<br>
These sites show what the client is sending. Modern Squid mimic what the <br>
Browser sends in as closely as possible to avoid issues being added.<br>
<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>
</blockquote></div>