[squid-users] Change cipher suite ordering

vinod mg vinod9987 at gmail.com
Tue Jan 19 04:43:25 UTC 2021


I have been trying to make this work but still no luck, Any help
is appreciated.

Thanks,
Vinod

On Tue, Jan 12, 2021 at 4:34 PM vinod mg <vinod9987 at gmail.com> wrote:

> Hi Amos,
>
> Thanks for responding, really appreciate the quick response.
>
> So yes if squid can mimic exactly what client is sending that all I am
> looking for, but here its not the case, as you can see below example squid
> is re-arranging the cipher list which I do not want.
>
> Below is the default cipher list order I got with plain firefox browsing
> howsmyssl.com <https://www.howsmyssl.com/> without proxy -
>
>    - TLS_AES_128_GCM_SHA256
>    - TLS_CHACHA20_POLY1305_SHA256
>    - TLS_AES_256_GCM_SHA384
>    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
>    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
>    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
>    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>    - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>    - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>    - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>    - TLS_RSA_WITH_AES_128_GCM_SHA256
>    - TLS_RSA_WITH_AES_256_GCM_SHA384
>    - TLS_RSA_WITH_AES_128_CBC_SHA
>    - TLS_RSA_WITH_AES_256_CBC_SHA
>    - TLS_RSA_WITH_3DES_EDE_CBC_SHA
>
> Below is the cipher list order I got with same firefox browsing
> howsmyssl.com <https://www.howsmyssl.com/> with explicit squid
> proxy configured -
>
>    - TLS_AES_256_GCM_SHA384
>    - TLS_CHACHA20_POLY1305_SHA256
>    - TLS_AES_128_GCM_SHA256
>    - TLS_AES_128_CCM_SHA256
>    - TLS_RSA_WITH_AES_256_CBC_SHA
>    - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>    - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>    - TLS_RSA_WITH_AES_256_GCM_SHA384
>    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
>    - TLS_RSA_WITH_AES_128_CBC_SHA
>    - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
>    - TLS_RSA_WITH_3DES_EDE_CBC_SHA
>    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
>    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>    - TLS_RSA_WITH_AES_128_GCM_SHA256
>    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>    - TLS_EMPTY_RENEGOTIATION_INFO_SCSV
>
> I have tried removing "cipher=" from both "tls_outgoing_options" and
> "http_port" but still cipher list sent by client is changed
> while its passing via squid, Please let me know if I am missing anything.
>
> Thanks,
> Vinod
>
> On Tue, Jan 12, 2021 at 3:20 PM Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> On 12/01/21 5:44 pm, vinod mg wrote:
>> > Hello Team,
>> >
>> > I need some help in configuring cipher suite ordering. I am using squid
>> > with SSL configs and trying to configure the cipher order but not able
>> > to do so, I am using below sites to check my chipher ordering and its
>> > showing different ordering then what I have configured.
>> >
>> > https://www.howsmyssl.com <https://www.howsmyssl.com>
>> > https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
>> > <https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html>
>> >
>>
>> These sites show what the client is sending. Modern Squid mimic what the
>> Browser sends in as closely as possible to avoid issues being added.
>>
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210119/53747df5/attachment.htm>


More information about the squid-users mailing list