[squid-users] is tls_outgoing_options cipher ignored in squid 7.1?
Alex Rousskov
rousskov at measurement-factory.com
Fri Jul 25 21:44:24 UTC 2025
On 2025-07-25 05:13, Dieter Bloms wrote:
> Hello,
>
> I'am running squid on debian bookworm with all patches.
> I configured the following ciphers:
>
> tls_outgoing_options cipher=TLSv1.2:!CBC:!kRSA:!DSS:!PSK:!aNULL:!ARIA:!CAMELLIA:!AESCCM:!SHA256:!SHA384 at SECLEVEL=2
>
> With squid 6.13 I get the following ciphers list with the ssllab browser test: https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
>
> TLS_AES_256_GCM_SHA384
> TLS_CHACHA20_POLY1305_SHA256
> TLS_AES_128_GCM_SHA256 (0x1301)
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV
>
> which look good to me, but when I run squid 7.1 on the same system with
> the same config I get the following list:
>
> TLS_AES_256_GCM_SHA384
> TLS_CHACHA20_POLY1305_SHA256
> TLS_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_128_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_RSA_WITH_AES_256_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_256_GCM_SHA384
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV
>
> which includes some weak ciphers like:
> TLS_RSA_WITH_AES_128_CBC_SHA
> TLS_RSA_WITH_AES_256_GCM_SHA384
> ...
>
> is this a bug, a feature or a mistake on my side?
Based on the information above, I cannot answer your question, but Squid
should honor tls_outgoing_options except when peeking at or splicing TLS
connections using the corresponding ssl_bump features. I know that at
least some portions of tls_outgoing_options code worked when we were
adding support for tls_outgoing_options_for_retries in 2023 (Draft PR
#1456).
If you suspect a bug, please file a bug report after double checking
that both tests use the same OpenSSL library and that there are no
potentially related errors or warnings reported by either Squid at
startup. In your bug report, if any, please share relevant parts of
ssl_bump configuration (if you are using that feature for the affected
connections).
Cheers,
Alex.
More information about the squid-users
mailing list