[squid-users] SSL-bump and Ciphersuite?
Amos Jeffries
squid3 at treenet.co.nz
Mon Jan 11 10:13:17 UTC 2016
On 11/01/2016 10:50 p.m., Walter H. wrote:
> Hello,
>
> I'd restrict the client by using a less resource consuming TLS encryption;
>
> I though doing just this
>
> e.g.
> http_port 3128 ... cipher=3DES ...
> (for restricting clients connecting to 3DES)
>
> or what would be less resource consuming?
> AES128?
Depends on the specific TLS library implementation, what other hashes
etc are used alongside, and any crypto hardware support in the machine
running it.
>
> but where can I see, which ciphersuite is really used?
> (which log shows this? is it /var/squid/cache.log?)
For that you need the new 'negotiated_cipher' logformat codes in the
latest Squid-4.0.4 (note some more build errors found the past few days).
>
> the reason why I'm asking this:
>
> I'm using Kaspersky Anti-Virus on client side, this does a 2nd
> SSL-interception, and there the browsers show different Ciphersuites;
>
> e.g. Google Chrome shows AES128, Mozilla Firefox shows Camellia 256
>
> or is it like this: e.g. Google Chrome uses AES128 to the Anti-Virus, the
> Anti-Virus itself uses 3DES to the proxy server?
> (the proxy server matches another Ciphersuite to the web host)
Yes it is like that. TLS is point-to-point encryption.
Amos
More information about the squid-users
mailing list