[squid-users] sslproxy_options on squid 3.5.20

Nisa Balakrishnan nisa.balakrishnan at servian.com
Tue Oct 6 00:35:56 UTC 2020


Hi,

I am trying to allow access for only tls versions 1.2 and above on Squid
3.5.20

For testing purposes, I have set options in squid config as follows.

```
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2

sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
```

I test using curl
```
curl -v https://api.github.com/users/xyz
```

I am able to access github and the ssl connection is tls 1.2

```
*   Trying 13.236.14.80...
* TCP_NODELAY set
* Connected to api.github.com (13.236.14.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.
github.com
*  start date: Jun 22 00:00:00 2020 GMT
*  expire date: Aug 17 12:00:00 2022 GMT
*  subjectAltName: host "api.github.com" matched cert's "*.github.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High
Assurance Server CA
*  SSL certificate verify ok.
> GET /users/xyz HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Mon, 05 Oct 2020 22:57:40 GMT
< content-type: application/json; charset=utf-8
< server: GitHub.com
< status: 200 OK
< cache-control: public, max-age=60, s-maxage=60
< vary: Accept, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding
< etag: W/"3d107946387d86803650c009a9371dc5efd5ba2d670e838c30af583505243e83"
< last-modified: Wed, 23 May 2018 19:43:26 GMT
< x-github-media-type: github.v3; format=json
< access-control-expose-headers: ETag, Link, Location, Retry-After,
X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used,
X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes,
X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset
< access-control-allow-origin: *
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
< content-security-policy: default-src 'none'
< X-Ratelimit-Limit: 60
< X-Ratelimit-Remaining: 59
< X-Ratelimit-Reset: 1601942260
< X-Ratelimit-Used: 1
< Accept-Ranges: bytes
< Content-Length: 1220
< X-GitHub-Request-Id: A62E:3674:BB684:D9799:5F7BA4E4
<
{
  "login": "xyz",
  "id": 14513,
  "node_id": "MDQ6VXNlcjE0NTEz",
  "avatar_url": "https://avatars1.githubusercontent.com/u/14513?v=4",
  "gravatar_id": "",
  "url": "https://api.github.com/users/xyz",
  "html_url": "https://github.com/xyz",
  "followers_url": "https://api.github.com/users/xyz/followers",
  "following_url": "https://api.github.com/users/xyz/following{/other_user}
",
  "gists_url": "https://api.github.com/users/xyz/gists{/gist_id}",
  "starred_url": "https://api.github.com/users/xyz/starred{/owner}{/repo}",
  "subscriptions_url": "https://api.github.com/users/xyz/subscriptions",
  "organizations_url": "https://api.github.com/users/xyz/orgs",
  "repos_url": "https://api.github.com/users/xyz/repos",
  "events_url": "https://api.github.com/users/xyz/events{/privacy}",
  "received_events_url": "https://api.github.com/users/xyz/received_events",
  "type": "User",
  "site_admin": false,
  "name": "xyz",
  "company": null,
  "blog": "",
  "location": null,
  "email": null,
  "hireable": null,
  "bio": null,
  "twitter_username": null,
  "public_repos": 1,
  "public_gists": 0,
  "followers": 8,
  "following": 1,
  "created_at": "2008-06-21T11:58:01Z",
  "updated_at": "2018-05-23T19:43:26Z"
}
* Connection #0 to host api.github.com left intact
```
Despite setting no tls 1.2, I am able to successfully make a connection.
What am I missing here?
Any help much appreciated.

-- 

*Nisa Balakrishnan*      AutomationEngineer | m: 0473942819 | p: 03 9081
3700 <+61390813700>
Level 20, Tower 5, Collins Square, 727 Collins Street, Docklands VIC 3008

Vibrato has merged with Servian! Check out the news article here
<https://www.arnnet.com.au/article/664971/servian-nabs-vibrato-multi-million-dollar-deal/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201006/54d1f667/attachment.htm>


More information about the squid-users mailing list