[squid-users] SSL-bump and Ciphersuite?

Walter H. walter.h at mathemainzel.info
Mon Jan 11 10:51:44 UTC 2016


Hello Amos,

On Mon, January 11, 2016 11:13, Amos Jeffries wrote:
> On 11/01/2016 10:50 p.m., Walter H. wrote:
>> Hello,
>>
>> I'd restrict the client by using a less resource consuming TLS
>> encryption;
>>
>> I though doing just this
>>
>> e.g.
>> http_port 3128 ... cipher=3DES ...
>> (for restricting clients connecting to 3DES)
>>
>> or what would be less resource consuming?
>> AES128?
>
> Depends on the specific TLS library implementation, what other hashes
> etc are used alongside, and any crypto hardware support in the machine
> running it.
>
there is no crypto hardware support as far as I know, my squid box is just
a VM, and I guess squid (I'm using 3.4.10) is using OpenSSL als TLS
library (latest of CentOS 6)

>> the reason why I'm asking this:
>>
>> I'm using Kaspersky Anti-Virus on client side, this does a 2nd
>> SSL-interception, and there the browsers show different Ciphersuites;
>>
>> e.g. Google Chrome shows AES128, Mozilla Firefox shows Camellia 256
>>
>> or is it like this: e.g. Google Chrome uses AES128 to the Anti-Virus,
>> the
>> Anti-Virus itself uses 3DES to the proxy server?
>> (the proxy server matches another Ciphersuite to the web host)
>
> Yes it is like that. TLS is point-to-point encryption.

Ok, because the strange in connection with this:

I had

http_port 3128 ... dhparam=./dhparam.pem

and before installing Kaspersky Anti-Virus there was not any error; but in
connection with the SSL-Interception of Kaspersky Anti-Virus, I got an SSL
error in Mozilla Firefox like "invalid server hello"
removing dhparam=... from http_port resolves this "issue";

Thanks,
Walter



More information about the squid-users mailing list