[squid-users] Disable tls1.3 support , can't get SNI / cert details when it's used

Stilyan Georgiev stilyangeorgiev at gmail.com
Wed Feb 27 23:25:40 UTC 2019 

When testing like so: openssl s_client -connect google.com:443
I get tls1.2 back

Via mobile chrome browser (android) and the proxy I get tls1.3
Truly don't understand :)

----- Some output -----
Service Name: squid
This binary uses OpenSSL 1.1.1  11 Sep 2018.

dpkg --list |grep ssl
ii  libgnutls-openssl27:amd64             3.6.4-2ubuntu1.1
amd64        GNU TLS library - OpenSSL wrapper
ii  libio-socket-ssl-perl                 2.060-3
all          Perl module implementing object oriented interface to SSL
sockets
ii  libnet-smtp-ssl-perl                  1.04-1
all          Perl module providing SSL support to Net::SMTP
ii  libnet-ssleay-perl                    1.85-2ubuntu2
amd64        Perl module for Secure Sockets Layer (SSL)
ii  libssl-dev:amd64                      1.1.1-1ubuntu2.1
amd64        Secure Sockets Layer toolkit - development files
ii  libssl1.0.0:amd64                     1.0.2n-1ubuntu6.2
amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.1:amd64                       1.1.1-1ubuntu2.1
amd64        Secure Sockets Layer toolkit - shared libraries
ii  libxmlsec1-openssl:amd64              1.2.26-3
amd64        Openssl engine for the XML security library
ii  libzstd1:amd64                        1.3.5+dfsg-1ubuntu1
amd64        fast lossless compression algorithm
ii  openssl                               1.1.1-1ubuntu2.1
amd64        Secure Sockets Layer toolkit - cryptographic utility
ii  perl-openssl-defaults:amd64           3build1
amd64        version compatibility baseline for Perl OpenSSL packages
ii  python3-openssl                       18.0.0-1
all          Python 3 wrapper around the OpenSSL library
rc  ssl-cert                              1.0.39
all          simple debconf wrapper for OpenSSL


On Thu, Feb 28, 2019 at 1:13 AM Stilyan Georgiev <stilyangeorgiev at gmail.com>
wrote:

> Thanks for the input Alex.
> I had many, many issues compiling openssl without tls1.3. At first i tried
> doing it side by side with version I had in OS but failed miserably, with
> squid continuing to use the OS package.
> Eventually I release upgraded the OS and now have the 1.1.1-1 package from
> repo, rebuilt it with no-tls1_3 in CONFARGS
>
> And to my amazement squid continues serving tls1.3 :)
>
> Any suggestions on to how to allow tls1.1 and tls1.2 only are very
> welcome. Maybe tls_outgoing_options cipher= ...
>
> Thanks in advance for helping out!
>
> On Tue, Feb 26, 2019 at 9:10 PM Alex Rousskov <
> rousskov at measurement-factory.com> wrote:
>
>> On 2/26/19 4:55 AM, Stilyan Georgiev wrote:
>>
>> > Squid 4.5 with openssl support here.
>> > SSL bumping can't obtain SNI / cert domain to perform filtering when
>> > tls1.3 is used.
>> > I want to disable support for tls1.3 in config but don't find way to do
>> > so. There's the outdated sslproxy_options config directive which doesn't
>> > appear to be supported in 4.5
>> >
>> > The goal is - allow everything , besides tls1.3
>>
>> Good question!
>>
>> TLS v1.3 clients that use "Middlebox Compatibility Mode", including
>> OpenSSL s_client and popular browsers, pretend to be TLS v1.2 clients
>> that attempt to restore a non-existent TLS session. Squid probably does
>> not have ACLs that can detect those lies. However, if you think you can
>> detect them, you can pass TLS Hello to your external ACL via the
>> %>handshake logformat code.
>>
>> If you are asking whether Squid can downgrade TLS v1.3 to TLS v1.2, then
>> I suspect the answer is "yes, but only if you bump the client connection
>> first": A peeking Squid cannot negotiate a different TLS version with
>> the client. If TLS downgrade is what you want, you can probably use an
>> OpenSSL version that does not support TLS v1.3. There may also be an
>> OpenSSL v1.1.1 configuration option to turn TLS v1.3 support off, but I
>> have not research that.
>>
>> Finally, there may be a bug in earlier versions of Squid that breaks
>> peeking at TLS v1.3 servers during step2. Staring works. We have not
>> tested Squid v4.5 though. Please note that peeking at TLS v1.3 servers
>> is largely pointless because useful information in TLS v1.3 Server Hello
>> is encrypted.
>>
>>
>> HTH,
>>
>> Alex.
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
> --
> Yours Sincerely,
>
> *Stilyan Georgiev*
>
>


-- 
Yours Sincerely,

*Stilyan Georgiev*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190228/51bc2eaa/attachment.html>

More information about the squid-users mailing list