[squid-users] Squid SSL-bump error Change Cipher Spec
Amos Jeffries
squid3 at treenet.co.nz
Tue Dec 4 07:25:06 UTC 2018
On 4/12/18 12:18 pm, johnr wrote:
>> What are your squid.conf settings now?
>
> http_port 3128 ssl-bump
You are missing a CA certificate for the bumping process to use for the
certificates it sends the clients.
Also you do not have any ssl_bump lines here. They are required to tell
Squid which of the TLS/SSL traffic to consider for handling. Without
those lines the ssl-bump on the port does nothing.
> tls_outgoing_options NO_TICKET,ALL,No_SSLv3 min-version=1.0
>
This should be:
tls_outgoing_options options=NO_TICKET,ALL,No_SSLv3 min-version=1.0
That use of "ALL" there is a bit obscure. What it actually does is
*enable* all sorts of unsafe security features the library would
normally disable by default. Such as 8-bit hashes and very insecure RSA
keys.
The min-version is only required if the library defaults to actively
rejecting TLS/1.0 or such.
To let the library use its defaults you simply do not configure Squid to
require anything at all (ie remove the tls_outgoing_options directive
entirely).
Amos
More information about the squid-users
mailing list