[squid-users] Disable tls1.3 support , can't get SNI / cert details when it's used
Alex Rousskov
rousskov at measurement-factory.com
Tue Feb 26 19:10:31 UTC 2019
On 2/26/19 4:55 AM, Stilyan Georgiev wrote:
> Squid 4.5 with openssl support here.
> SSL bumping can't obtain SNI / cert domain to perform filtering when
> tls1.3 is used.
> I want to disable support for tls1.3 in config but don't find way to do
> so. There's the outdated sslproxy_options config directive which doesn't
> appear to be supported in 4.5
>
> The goal is - allow everything , besides tls1.3
Good question!
TLS v1.3 clients that use "Middlebox Compatibility Mode", including
OpenSSL s_client and popular browsers, pretend to be TLS v1.2 clients
that attempt to restore a non-existent TLS session. Squid probably does
not have ACLs that can detect those lies. However, if you think you can
detect them, you can pass TLS Hello to your external ACL via the
%>handshake logformat code.
If you are asking whether Squid can downgrade TLS v1.3 to TLS v1.2, then
I suspect the answer is "yes, but only if you bump the client connection
first": A peeking Squid cannot negotiate a different TLS version with
the client. If TLS downgrade is what you want, you can probably use an
OpenSSL version that does not support TLS v1.3. There may also be an
OpenSSL v1.1.1 configuration option to turn TLS v1.3 support off, but I
have not research that.
Finally, there may be a bug in earlier versions of Squid that breaks
peeking at TLS v1.3 servers during step2. Staring works. We have not
tested Squid v4.5 though. Please note that peeking at TLS v1.3 servers
is largely pointless because useful information in TLS v1.3 Server Hello
is encrypted.
HTH,
Alex.
More information about the squid-users
mailing list