[squid-users] Bumping TLS 1.3
Amos Jeffries
squid3 at treenet.co.nz
Thu Oct 25 09:03:38 UTC 2018
On 25/10/18 1:21 PM, Turnbull, John wrote:
> I was wondering about bumping TLS 1.3 connections and if you think that
> will ever be supported.
>
Probably. ETA indeterminate.
To quote myself from the docs:
"When used properly TLS cannot be bumped".
What Squid does now is take advantage of shortcuts and workarounds many
installations use(d) to avoid trouble or administration hassles with
TLS/SSL.
Bump only works at all when those shortcuts allow Squid to impose itself
as MITM into the handshake sequence. TLS/1.3 does not change that
situation - just the code needed to do the insertion will have to be
redesigned a fair bit (already underway AFAIK).
What TLS/1.3 brings to the situation differently is hiding a lot of
details like SNI and server cert that were previously available up-front
for the admin to selectively *avoid* bumping traffic they thought was okay.
So admin will soon / now be faced with having to bump *everything* and
block those relatively few parties actually using TLS "properly".
The reality is that *splice* is the ability TLS/1.3 makes harder to do
reliably.
Amos
More information about the squid-users
mailing list