When testing like so: openssl s_client -connect google.com:443 I get tls1.2 back
Via mobile chrome browser (android) and the proxy I get tls1.3 Truly don't understand :) ----- Some output ----- Service Name: squid This binary uses OpenSSL 1.1.1 11 Sep 2018. dpkg --list |grep ssl ii libgnutls-openssl27:amd64 3.6.4-2ubuntu1.1 amd64 GNU TLS library - OpenSSL wrapper ii libio-socket-ssl-perl 2.060-3 all Perl module implementing object oriented interface to SSL sockets ii libnet-smtp-ssl-perl 1.04-1 all Perl module providing SSL support to Net::SMTP ii libnet-ssleay-perl 1.85-2ubuntu2 amd64 Perl module for Secure Sockets Layer (SSL) ii libssl-dev:amd64 1.1.1-1ubuntu2.1 amd64 Secure Sockets Layer toolkit - development files ii libssl1.0.0:amd64 1.0.2n-1ubuntu6.2 amd64 Secure Sockets Layer toolkit - shared libraries ii libssl1.1:amd64 1.1.1-1ubuntu2.1 amd64 Secure Sockets Layer toolkit - shared libraries ii libxmlsec1-openssl:amd64 1.2.26-3 amd64 Openssl engine for the XML security library ii libzstd1:amd64 1.3.5+dfsg-1ubuntu1 amd64 fast lossless compression algorithm ii openssl 1.1.1-1ubuntu2.1 amd64 Secure Sockets Layer toolkit - cryptographic utility ii perl-openssl-defaults:amd64 3build1 amd64 version compatibility baseline for Perl OpenSSL packages ii python3-openssl 18.0.0-1 all Python 3 wrapper around the OpenSSL library rc ssl-cert 1.0.39 all simple debconf wrapper for OpenSSL On Thu, Feb 28, 2019 at 1:13 AM Stilyan Georgiev <stilyangeorg...@gmail.com> wrote: > Thanks for the input Alex. > I had many, many issues compiling openssl without tls1.3. At first i tried > doing it side by side with version I had in OS but failed miserably, with > squid continuing to use the OS package. > Eventually I release upgraded the OS and now have the 1.1.1-1 package from > repo, rebuilt it with no-tls1_3 in CONFARGS > > And to my amazement squid continues serving tls1.3 :) > > Any suggestions on to how to allow tls1.1 and tls1.2 only are very > welcome. Maybe tls_outgoing_options cipher= ... > > Thanks in advance for helping out! > > On Tue, Feb 26, 2019 at 9:10 PM Alex Rousskov < > rouss...@measurement-factory.com> wrote: > >> On 2/26/19 4:55 AM, Stilyan Georgiev wrote: >> >> > Squid 4.5 with openssl support here. >> > SSL bumping can't obtain SNI / cert domain to perform filtering when >> > tls1.3 is used. >> > I want to disable support for tls1.3 in config but don't find way to do >> > so. There's the outdated sslproxy_options config directive which doesn't >> > appear to be supported in 4.5 >> > >> > The goal is - allow everything , besides tls1.3 >> >> Good question! >> >> TLS v1.3 clients that use "Middlebox Compatibility Mode", including >> OpenSSL s_client and popular browsers, pretend to be TLS v1.2 clients >> that attempt to restore a non-existent TLS session. Squid probably does >> not have ACLs that can detect those lies. However, if you think you can >> detect them, you can pass TLS Hello to your external ACL via the >> %>handshake logformat code. >> >> If you are asking whether Squid can downgrade TLS v1.3 to TLS v1.2, then >> I suspect the answer is "yes, but only if you bump the client connection >> first": A peeking Squid cannot negotiate a different TLS version with >> the client. If TLS downgrade is what you want, you can probably use an >> OpenSSL version that does not support TLS v1.3. There may also be an >> OpenSSL v1.1.1 configuration option to turn TLS v1.3 support off, but I >> have not research that. >> >> Finally, there may be a bug in earlier versions of Squid that breaks >> peeking at TLS v1.3 servers during step2. Staring works. We have not >> tested Squid v4.5 though. Please note that peeking at TLS v1.3 servers >> is largely pointless because useful information in TLS v1.3 Server Hello >> is encrypted. >> >> >> HTH, >> >> Alex. >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > > > -- > Yours Sincerely, > > *Stilyan Georgiev* > > -- Yours Sincerely, *Stilyan Georgiev*
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
