Hi, I am trying to allow access for only tls versions 1.2 and above on Squid 3.5.20
For testing purposes, I have set options in squid config as follows. ``` https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2 sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2 ``` I test using curl ``` curl -v https://api.github.com/users/xyz ``` I am able to access github and the ssl connection is tls 1.2 ``` * Trying 13.236.14.80... * TCP_NODELAY set * Connected to api.github.com (13.236.14.80) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*. github.com * start date: Jun 22 00:00:00 2020 GMT * expire date: Aug 17 12:00:00 2022 GMT * subjectAltName: host "api.github.com" matched cert's "*.github.com" * issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA * SSL certificate verify ok. > GET /users/xyz HTTP/1.1 > Host: api.github.com > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 OK < date: Mon, 05 Oct 2020 22:57:40 GMT < content-type: application/json; charset=utf-8 < server: GitHub.com < status: 200 OK < cache-control: public, max-age=60, s-maxage=60 < vary: Accept, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding < etag: W/"3d107946387d86803650c009a9371dc5efd5ba2d670e838c30af583505243e83" < last-modified: Wed, 23 May 2018 19:43:26 GMT < x-github-media-type: github.v3; format=json < access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset < access-control-allow-origin: * < strict-transport-security: max-age=31536000; includeSubdomains; preload < x-frame-options: deny < x-content-type-options: nosniff < x-xss-protection: 1; mode=block < referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin < content-security-policy: default-src 'none' < X-Ratelimit-Limit: 60 < X-Ratelimit-Remaining: 59 < X-Ratelimit-Reset: 1601942260 < X-Ratelimit-Used: 1 < Accept-Ranges: bytes < Content-Length: 1220 < X-GitHub-Request-Id: A62E:3674:BB684:D9799:5F7BA4E4 < { "login": "xyz", "id": 14513, "node_id": "MDQ6VXNlcjE0NTEz", "avatar_url": "https://avatars1.githubusercontent.com/u/14513?v=4";, "gravatar_id": "", "url": "https://api.github.com/users/xyz";, "html_url": "https://github.com/xyz";, "followers_url": "https://api.github.com/users/xyz/followers";, "following_url": "https://api.github.com/users/xyz/following{/other_user} ", "gists_url": "https://api.github.com/users/xyz/gists{/gist_id}";, "starred_url": "https://api.github.com/users/xyz/starred{/owner}{/repo}";, "subscriptions_url": "https://api.github.com/users/xyz/subscriptions";, "organizations_url": "https://api.github.com/users/xyz/orgs";, "repos_url": "https://api.github.com/users/xyz/repos";, "events_url": "https://api.github.com/users/xyz/events{/privacy}";, "received_events_url": "https://api.github.com/users/xyz/received_events";, "type": "User", "site_admin": false, "name": "xyz", "company": null, "blog": "", "location": null, "email": null, "hireable": null, "bio": null, "twitter_username": null, "public_repos": 1, "public_gists": 0, "followers": 8, "following": 1, "created_at": "2008-06-21T11:58:01Z", "updated_at": "2018-05-23T19:43:26Z" } * Connection #0 to host api.github.com left intact ``` Despite setting no tls 1.2, I am able to successfully make a connection. What am I missing here? Any help much appreciated. -- *Nisa Balakrishnan* AutomationEngineer | m: 0473942819 | p: 03 9081 3700 <+61390813700> Level 20, Tower 5, Collins Square, 727 Collins Street, Docklands VIC 3008 Vibrato has merged with Servian! Check out the news article here <https://www.arnnet.com.au/article/664971/servian-nabs-vibrato-multi-million-dollar-deal/>
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
