[squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?
Alex Rousskov
rousskov at measurement-factory.com
Mon Jun 10 12:59:35 UTC 2024
On 2024-06-10 08:10, Dieter Bloms wrote:
> I have activated ssl_bump and must activate the UNSAFE_LEGACY_RENEGOTIATION option to enable access to https://cisco.com.
> The web server does not support secure renegotiation.
>
> I have tried to set the following options, but squid does not recognize any of them:
>
> tls_outgoing_options options=UNSAFE_LEGACY_RENEGOTIATION
>
> or
>
> tls_outgoing_options options=ALLOW_UNSAFE_LEGACY_RENEGOTIATION
>
> and
>
> tls_outgoing_options options=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
>
> but no matter which syntax I use, I always get the message during squid-k parse:
>
> “2024/06/10 14:08:17| ERROR: Unknown TLS option ALLOW_UNSAFE_LEGACY_RENEGOTIATION”
>
> How can I activate secure renegotiation for squid?
To set an OpenSSL connection option that Squid does not know by name,
use that option hex value (based on your OpenSSL sources). For example:
# SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is defined to be
# SSL_OP_BIT(18) which is equal to (1 << 18) or 0x40000 in hex.
tls_outgoing_options options=0x40000
Disclaimer: I have not tested the above and do not know whether adding
that option achieves what you want to achieve.
HTH,
Alex.
More information about the squid-users
mailing list