[squid-users] SSL Squid 5 Cipher suite ordering issue

Alex Rousskov rousskov at measurement-factory.com
Thu Feb 4 16:39:11 UTC 2021


On 2/4/21 10:32 AM, Prem Chand wrote:

> I'm running SSL squid 5 on Centos 8 and I could see Cipher Suites order
> changes when I access the below website through Squid and without using
> squid I'm getting correct order.
> 
> https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
> 
> I want to know why and how Squid is changing the cipher suite order and
> how to stop squid from doing it. Please advise.

There are several different use cases related to cipher order in
Squid-server connections, including these TLS v1.2 (and earlier) cases:

1. You are specifying "tls_outgoing_options cihper", and you are either
not using SslBump or bumping the TLS client during SslBump step1. In
this case, Squid should pass your tls_outgoing_options cipher
configuration to OpenSSL. What happens next is up to OpenSSL.

2. You are not specifying "tls_outgoing_options cihper", and you are
either not using SslBump or bumping the TLS client during SslBump step1.
In this case, Squid does not tell what ciphers to use. What happens next
is up to OpenSSL.

3. You are bumping the TLS client during SslBump step2. In this case,
Squid should give TLS client ciphers to OpenSSL. What happens next is up
to OpenSSL.

4. You are bumping the TLS client during SslBump step3. I am not sure
what should happen here, but perhaps Squid should, during step2, forward
TLS client ciphers that Squid supports, in TLS client order. I do not
know whether Squid actually does that.

To understand why ciphers are reordered, you need to figure out which
use case applies to your test and, if applicable, investigate whether
OpenSSL honors the cipher order specified in SSL_set_cipher_list() and
SSL_CTX_set_cipher_list() calls.

If you confirm that Squid should give the cipher list to OpenSSL in your
use case, and OpenSSL should honor the cipher order, then you can look
for Squid bugs, but that will probably require debugging log analysis
and developer-level expertise.


See also:
http://lists.squid-cache.org/pipermail/squid-users/2021-January/023155.html


HTH,

Alex.


More information about the squid-users mailing list