[squid-users] Disable tls1.3 support , can't get SNI / cert details when it's used

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 28 01:52:04 UTC 2019


On 28/02/19 12:25 pm, Stilyan Georgiev wrote:
> When testing like so: openssl s_client -connect google.com:443
> I get tls1.2 back
> 
> Via mobile chrome browser (android) and the proxy I get tls1.3
> Truly don't understand :)
> 

I expect that Chrome is using their own custom SSL library and HTTP/3
protocol which does not go through Squid.

The openssl test will be strictly using a single TCP connection with a
CONNECT tunnels through your Squid. The SSL-Bump process you have setup
will be bumpign that and Squid begotiating teh TLS versio you have
configured.

The Chrome on the other hand may be negotiating TLS/1.3 handshake via
side channels and then resuming it as a normal TLS session resumption
over the Squid connection, OR possibly not even going via the proxy at
all (aka QUIC, HTTP/3).

Google products also has a preference for using Googles custom SSL
library rather than OpenSSL - so your custom OpenSSL may not be relevant
at the client endpoint. Whereas the openssl tools will be naturally be
using libssl like Squid.


If you are not using SSL-Bump in the way(s) indicated previously by
Alex, then your custom OpenSSL build and squid.conf options are
irrelevant. The CONNECT traffic would be going straight through the
proxy without being touched. To have any control over TLS the proxy must
be an _active_ agent participating in the TLS handshake.

HTH
Amos


More information about the squid-users mailing list