On Thu, Apr 13, 2017 at 09:04:01PM +0100, Darac Marjal wrote: > It looks[1] like Squid can do SSL Interception. I imagine it should be > possible, therefore, for squid to perform the HTTPS connection and > either downgrade it to HTTP or to re-encrypt it with a lower grade. YMMV
Well automatic downgrade to HTTP could work, not sure how to implement it, but often you'll experience issues due to missing SNI support. For example in the case of elinks you can find the following open wishlist bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797968 So that issue will continue to exist in stretch but that's not the fault of GNUTLS but an application issue. In regards of cipher support at least GNUTLS from jessie should work with most public sites. For wheezy the situation might be more complicated. Regarding Squid I *think* it's also missing SNI support at the moment and for sure in wheezy. Long story short: You need a somewhat recent GNUTLS release (jessie should be fine) and application level support en par with that. Sven
