[squid-users] Regarding Squid SSL cipher filtering

john doe myemailhandle at gmail.com
Sun Feb 3 21:21:18 UTC 2019


Thanks a lot guys for providing clear explanation.
Much appreciated!

Cheers,
Chris

On Sat, Feb 2, 2019 at 3:29 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 2/1/19 4:04 PM, john doe wrote:
>
> > I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers
> > allowed.
>
> > I see that "sslproxy_cipher" config property would allow me to do it.
> > But what is unclear to me is whether just setting that list is enough or
> > it needs SSL-Bump too?
> > Pardon my ignorance around this. I'm not sure if Squid has access to the
> > cipher list.
>
> If you want to restrict ciphers used by clients establishing a TLS
> connection with the origin server (via a CONNECT tunnel through Squid)
> but you do not want to bump client-origin traffic that uses permitted
> ciphers, then you have several options, including:
>
> * Deny access to clients that offer banned ciphers to servers. Requires
> either a silent TCP connection termination or bumping to serve an error
> page. Requires TLS Client Hello analysis that is only supported in v4+
> (via an external ACL and %>handshake).
>
> * Deny access to servers that select banned ciphers (from the list of
> all ciphers offered by clients). Requires either a silent TCP connection
> termination or bumping to serve an error page. Requires TLS Server Hello
> analysis that is only supported in v4+ (via an external ACL and
> %ssl::<negotiated_cipher).
>
> For bumped connections, there is also %ssl::>negotiated_cipher.
>
> Sorry, I ran out of time to polish and detail the above further, but
> others on the list can help you if you need more information.
>
>
> Cheers,
>
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190203/b1693b1d/attachment.html>


More information about the squid-users mailing list