[squid-users] Regarding Squid SSL cipher filtering

Amos Jeffries squid3 at treenet.co.nz
Sat Feb 2 12:23:37 UTC 2019


On 2/02/19 12:04 pm, john doe wrote:
> Hi Squid-Community,
> 
> I've a question for which I haven't been able to find answer.
> 
> I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers
> allowed.
> I see that "sslproxy_cipher" config property would allow me to do it.

The sslproxy_* directives (as of v4 called tls_outgoing_options) are for
TLS/SSL control of connections to servers.

The https_port and http_port directives have options for TLS/SSL on
connections from clients.

The cache_peer directive has options for fine tuning or locking down
TLS/SSL to each peer server.


> But what is unclear to me is whether just setting that list is enough or
> it needs SSL-Bump too?

For TLS interactions between the client and server (CONNECT tunnels)
then Yes, you need to MITM (SSL-Bump) to interact with their crypto.

For TLS between client and proxy, then no. Squid is in control already -
at least of the proxy end of the connection.



> Pardon my ignorance around this. I'm not sure if Squid has access to the
> cipher list.
> 

None needed. Nobody knows everything about Squid (even us official and
logn-term devs). Help is what this list is for :-)

Amos


More information about the squid-users mailing list