Thanks Amos. I have verified that squid build is done with openssl that supports 1.2 but not 1.3. I am worried that squid does not pass the flag set via options. I am able to lock squid to tls 1.2 only with sslproxy_version
To be a bit more clear, the squid implementation is a whitelist filtering proxy. It does not bump ssl requests. It does peek and splice on intercept. On Tue, 6 Oct 2020 at 20:34, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 6/10/20 1:35 pm, Nisa Balakrishnan wrote: > > Hi, > > > > I am trying to allow access for only tls versions 1.2 and above on Squid > > 3.5.20 > > > > Note that "above 1.2" are not supported by that ancient version of > Squid. Your test disables everything except SSLv1 code in the library. > > > > For testing purposes, I have set options in squid config as follows. > > > > ``` > > https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept > > options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2 > > > > sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2 > > ``` > > > > Support for all those options depends on the version, build options, and > global config settings of the OpenSSL library being used. They are just > flags Squid passes to the library on connection setup. > > > FWIW 3.1.20 is over 4 years old and a huge amount of change has happened > to TLS since then. Please try to upgrade to current Squid-4 stable, or > for best SSL-Bump behaviour the current Squid-5 beta. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- *Nisa Balakrishnan* AutomationEngineer | m: 0473942819 | p: 03 9081 3700 <+61390813700> Level 20, Tower 5, Collins Square, 727 Collins Street, Docklands VIC 3008 Vibrato has merged with Servian! Check out the news article here <https://www.arnnet.com.au/article/664971/servian-nabs-vibrato-multi-million-dollar-deal/>
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
