[squid-users] TLS client hello tls1.0 even with options "tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1"
Dieter Bloms
squid.org at bloms.de
Mon Dec 12 11:34:29 UTC 2022
Hello,
I've enabled sslbump and configured the following outgoing tls options:
tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA
so for me it looks like squid must not use TLS1.1 or TLS1.0.
But for some web sites like
https://www.europarl.europa.eu/doceo/document/LIBE-OJ-2022-12-12-1_EN.html
the first request is made with an tls1.0 client hello packet.
When I reload the page the proxyserver sends a tls1.2 client hello and the website is shown as expected.
So what option can be used to force a minimum tls1.2 client hello package every time?
Here is a link to the pcap file with both variants: https://bloms.de/download/www.europarl.europa.eu.pcap
--
Regards
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
More information about the squid-users
mailing list