Regarding Squid SSL cipher filtering

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Regarding Squid SSL cipher filtering

john doe
Hi Squid-Community,

I've a question for which I haven't been able to find answer.

I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers allowed.
I see that "sslproxy_cipher" config property would allow me to do it.
But what is unclear to me is whether just setting that list is enough or it needs SSL-Bump too?
Pardon my ignorance around this. I'm not sure if Squid has access to the cipher list.

Any help would be much appreciated.

Thanks,
Chris

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding Squid SSL cipher filtering

Amos Jeffries
Administrator
On 2/02/19 12:04 pm, john doe wrote:
> Hi Squid-Community,
>
> I've a question for which I haven't been able to find answer.
>
> I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers
> allowed.
> I see that "sslproxy_cipher" config property would allow me to do it.

The sslproxy_* directives (as of v4 called tls_outgoing_options) are for
TLS/SSL control of connections to servers.

The https_port and http_port directives have options for TLS/SSL on
connections from clients.

The cache_peer directive has options for fine tuning or locking down
TLS/SSL to each peer server.


> But what is unclear to me is whether just setting that list is enough or
> it needs SSL-Bump too?

For TLS interactions between the client and server (CONNECT tunnels)
then Yes, you need to MITM (SSL-Bump) to interact with their crypto.

For TLS between client and proxy, then no. Squid is in control already -
at least of the proxy end of the connection.



> Pardon my ignorance around this. I'm not sure if Squid has access to the
> cipher list.
>

None needed. Nobody knows everything about Squid (even us official and
logn-term devs). Help is what this list is for :-)

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding Squid SSL cipher filtering

Alex Rousskov
In reply to this post by john doe
On 2/1/19 4:04 PM, john doe wrote:

> I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers
> allowed.

> I see that "sslproxy_cipher" config property would allow me to do it.
> But what is unclear to me is whether just setting that list is enough or
> it needs SSL-Bump too?
> Pardon my ignorance around this. I'm not sure if Squid has access to the
> cipher list.

If you want to restrict ciphers used by clients establishing a TLS
connection with the origin server (via a CONNECT tunnel through Squid)
but you do not want to bump client-origin traffic that uses permitted
ciphers, then you have several options, including:

* Deny access to clients that offer banned ciphers to servers. Requires
either a silent TCP connection termination or bumping to serve an error
page. Requires TLS Client Hello analysis that is only supported in v4+
(via an external ACL and %>handshake).

* Deny access to servers that select banned ciphers (from the list of
all ciphers offered by clients). Requires either a silent TCP connection
termination or bumping to serve an error page. Requires TLS Server Hello
analysis that is only supported in v4+ (via an external ACL and
%ssl::<negotiated_cipher).

For bumped connections, there is also %ssl::>negotiated_cipher.

Sorry, I ran out of time to polish and detail the above further, but
others on the list can help you if you need more information.


Cheers,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding Squid SSL cipher filtering

john doe
Thanks a lot guys for providing clear explanation.
Much appreciated!

Cheers,
Chris

On Sat, Feb 2, 2019 at 3:29 PM Alex Rousskov <[hidden email]> wrote:
On 2/1/19 4:04 PM, john doe wrote:

> I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers
> allowed.

> I see that "sslproxy_cipher" config property would allow me to do it.
> But what is unclear to me is whether just setting that list is enough or
> it needs SSL-Bump too?
> Pardon my ignorance around this. I'm not sure if Squid has access to the
> cipher list.

If you want to restrict ciphers used by clients establishing a TLS
connection with the origin server (via a CONNECT tunnel through Squid)
but you do not want to bump client-origin traffic that uses permitted
ciphers, then you have several options, including:

* Deny access to clients that offer banned ciphers to servers. Requires
either a silent TCP connection termination or bumping to serve an error
page. Requires TLS Client Hello analysis that is only supported in v4+
(via an external ACL and %>handshake).

* Deny access to servers that select banned ciphers (from the list of
all ciphers offered by clients). Requires either a silent TCP connection
termination or bumping to serve an error page. Requires TLS Server Hello
analysis that is only supported in v4+ (via an external ACL and
%ssl::<negotiated_cipher).

For bumped connections, there is also %ssl::>negotiated_cipher.

Sorry, I ran out of time to polish and detail the above further, but
others on the list can help you if you need more information.


Cheers,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users