[squid-dev] [RFC] removal of SSL version options
Amos Jeffries
squid3 at treenet.co.nz
Wed Apr 15 12:17:00 UTC 2015
Squid currently has several "version" options to set the SSL/TLS
protocol version.
http(s)_port ... version=
cache_peer ... sslversion
sslproxy_version ...
However,
1) the option configures version X-only. Which does not follow with
current best practice of most other TLS enabled software offering a
minimum-version option for compliance with TLS version auto-upgrade
mechanisms.
This can result in Squid installations being stuck unnecessarily on
outdated protocol versions with insecure ciphers.
2) these options overlap with the related ssloptions= values.
These can easily be configured to conflict. Such as version setting
TLSv1.0-only and ssl-options enabling other versions with v1.0
forbidden. The order of security context setup prevents this being a
major problem, but it can result in security doing things the admin does
not exactly expect.
3) the http(s)_port option is also easily confused with protocol= since
it lacks a "ssl" prefix seen elsewhere.
I would like to eventually move towards having a TLS minimum-version
parameter like other software. Which means we at least need to begin
clearing up this problem ASAP.
Given that the ssloptions= parameters can be used to reach the same
configuration I propose that we simply remove the current sslversion
options.
Opinions?
Amos
More information about the squid-dev
mailing list