[squid-users] How to restrict the maximum negotiated version of squid HTTPS to TLS1.2
Amos Jeffries
squid3 at treenet.co.nz
Tue Apr 2 05:07:22 UTC 2019
On 2/04/19 2:10 pm, 赵 俊 wrote:
> Hi, this is part of my squid.conf:
> https_port 192.168.30.4:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/opt/squid/ssl_cert/CA.pem sslflags=NO_DEFAULT_CA
>
> acl broken_sites ssl::server_name foo.com
> acl ssl_step1 at_step SslBump1
>
> ssl_bump peek ssl_step1
> ssl_bump bump broken_sites
> ssl_bump splice all
>
> so how to restrict the maximum negotiated version of squid HTTPS to TLS1.2?
That is not possible without patching Squid. Only versions up to TLS/1.2
can be controlled by any published Squid.
> I also try configure like this:
>
>
> https_port 192.168.30.4:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/opt/squid/ssl_cert/CA.pem version=4
>
>
> it did not work.
>
The deprecated 'version=4' setting means TLS/*1.0* only.
> the access.log show TCP/TUNNEL 200
>
That indicates that the protocol arriving from the client is probably
not TLS or SSL in any form, but some other protocol. If that is true
then no matter what you set for TLS versions allowed it will always tunnel.
Amos
More information about the squid-users
mailing list