Thanks for the input Alex. I had many, many issues compiling openssl without tls1.3. At first i tried doing it side by side with version I had in OS but failed miserably, with squid continuing to use the OS package. Eventually I release upgraded the OS and now have the 1.1.1-1 package from repo, rebuilt it with no-tls1_3 in CONFARGS
And to my amazement squid continues serving tls1.3 :) Any suggestions on to how to allow tls1.1 and tls1.2 only are very welcome. Maybe tls_outgoing_options cipher= ... Thanks in advance for helping out! On Tue, Feb 26, 2019 at 9:10 PM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 2/26/19 4:55 AM, Stilyan Georgiev wrote: > > > Squid 4.5 with openssl support here. > > SSL bumping can't obtain SNI / cert domain to perform filtering when > > tls1.3 is used. > > I want to disable support for tls1.3 in config but don't find way to do > > so. There's the outdated sslproxy_options config directive which doesn't > > appear to be supported in 4.5 > > > > The goal is - allow everything , besides tls1.3 > > Good question! > > TLS v1.3 clients that use "Middlebox Compatibility Mode", including > OpenSSL s_client and popular browsers, pretend to be TLS v1.2 clients > that attempt to restore a non-existent TLS session. Squid probably does > not have ACLs that can detect those lies. However, if you think you can > detect them, you can pass TLS Hello to your external ACL via the > %>handshake logformat code. > > If you are asking whether Squid can downgrade TLS v1.3 to TLS v1.2, then > I suspect the answer is "yes, but only if you bump the client connection > first": A peeking Squid cannot negotiate a different TLS version with > the client. If TLS downgrade is what you want, you can probably use an > OpenSSL version that does not support TLS v1.3. There may also be an > OpenSSL v1.1.1 configuration option to turn TLS v1.3 support off, but I > have not research that. > > Finally, there may be a bug in earlier versions of Squid that breaks > peeking at TLS v1.3 servers during step2. Staring works. We have not > tested Squid v4.5 though. Please note that peeking at TLS v1.3 servers > is largely pointless because useful information in TLS v1.3 Server Hello > is encrypted. > > > HTH, > > Alex. > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- Yours Sincerely, *Stilyan Georgiev*
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
