[squid-users] How to restrict the maximum negotiated version of squid HTTPS to TLS1.2

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 3 05:00:28 UTC 2019


On 2/04/19 6:07 pm, Amos Jeffries wrote:
> On 2/04/19 2:10 pm, 赵 俊 wrote:
>> Hi, this is part of my squid.conf:
>> https_port 192.168.30.4:3129 intercept ssl-bump connection-auth=off
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> cert=/opt/squid/ssl_cert/CA.pem sslflags=NO_DEFAULT_CA 
>>
>> acl broken_sites ssl::server_name foo.com 
>> acl ssl_step1 at_step SslBump1
>>
>> ssl_bump peek ssl_step1
>> ssl_bump bump broken_sites
>> ssl_bump splice all
>>
>> so how to restrict the maximum negotiated version of squid HTTPS to TLS1.2?
> 
> 
> That is not possible without patching Squid. Only versions up to TLS/1.2
> can be controlled by any published Squid.
> 

You could try configuring your OpenSSL not to use TLS/1.3.

<http://openssl.6102.n7.nabble.com/How-to-disable-TLS-1-3-in-OpenSSL-1-1-1-td76300.html>

Amos


More information about the squid-users mailing list