[squid-users] Regarding Squid SSL cipher filtering
Alex Rousskov
rousskov at measurement-factory.com
Sat Feb 2 20:29:30 UTC 2019
On 2/1/19 4:04 PM, john doe wrote:
> I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers
> allowed.
> I see that "sslproxy_cipher" config property would allow me to do it.
> But what is unclear to me is whether just setting that list is enough or
> it needs SSL-Bump too?
> Pardon my ignorance around this. I'm not sure if Squid has access to the
> cipher list.
If you want to restrict ciphers used by clients establishing a TLS
connection with the origin server (via a CONNECT tunnel through Squid)
but you do not want to bump client-origin traffic that uses permitted
ciphers, then you have several options, including:
* Deny access to clients that offer banned ciphers to servers. Requires
either a silent TCP connection termination or bumping to serve an error
page. Requires TLS Client Hello analysis that is only supported in v4+
(via an external ACL and %>handshake).
* Deny access to servers that select banned ciphers (from the list of
all ciphers offered by clients). Requires either a silent TCP connection
termination or bumping to serve an error page. Requires TLS Server Hello
analysis that is only supported in v4+ (via an external ACL and
%ssl::<negotiated_cipher).
For bumped connections, there is also %ssl::>negotiated_cipher.
Sorry, I ran out of time to polish and detail the above further, but
others on the list can help you if you need more information.
Cheers,
Alex.
More information about the squid-users
mailing list