Re: [squid-users] is tls_outgoing_options cipher ignored in squid 7.1?

[Alex Rousskov]

On 2025-07-25 05:13, Dieter Bloms wrote:
Hello,
I'am running squid on debian bookworm with all patches.
I configured the following ciphers:

tls_outgoing_options 
cipher=TLSv1.2:!CBC:!kRSA:!DSS:!PSK:!aNULL:!ARIA:!CAMELLIA:!AESCCM:!SHA256:!SHA384@SECLEVEL=2

With squid 6.13 I get the following ciphers list with the ssllab browser test: 
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256 (0x1301)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

which look good to me, but when I run squid 7.1 on the same system with
the same config I get the following list:

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

which includes some weak ciphers like:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
...

is this a bug, a feature or a mistake on my side?

Based on the information above, I cannot answer your question, but Squid 
should honor tls_outgoing_options except when peeking at or splicing TLS 
connections using the corresponding ssl_bump features. I know that at 
least some portions of tls_outgoing_options code worked when we were 
adding support for tls_outgoing_options_for_retries in 2023 (Draft PR 
#1456).

If you suspect a bug, please file a bug report after double checking 
that both tests use the same OpenSSL library and that there are no 
potentially related errors or warnings reported by either Squid at 
startup. In your bug report, if any, please share relevant parts of 
ssl_bump configuration (if you are using that feature for the affected 
connections).


Cheers,

Alex.

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users