SSL Squid 5 Cipher suite ordering issue

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL Squid 5 Cipher suite ordering issue

premchand142
Hi Team,

I'm running SSL squid 5 on Centos 8 and I could see Cipher Suites order changes when I access the below website through Squid and without using squid I'm getting correct order.


I want to know why and how Squid is changing the cipher suite order and how to stop squid from doing it. Please advise.

Thank you
Premchand Naidu.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL Squid 5 Cipher suite ordering issue

Alex Rousskov
On 2/4/21 10:32 AM, Prem Chand wrote:

> I'm running SSL squid 5 on Centos 8 and I could see Cipher Suites order
> changes when I access the below website through Squid and without using
> squid I'm getting correct order.
>
> https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
>
> I want to know why and how Squid is changing the cipher suite order and
> how to stop squid from doing it. Please advise.

There are several different use cases related to cipher order in
Squid-server connections, including these TLS v1.2 (and earlier) cases:

1. You are specifying "tls_outgoing_options cihper", and you are either
not using SslBump or bumping the TLS client during SslBump step1. In
this case, Squid should pass your tls_outgoing_options cipher
configuration to OpenSSL. What happens next is up to OpenSSL.

2. You are not specifying "tls_outgoing_options cihper", and you are
either not using SslBump or bumping the TLS client during SslBump step1.
In this case, Squid does not tell what ciphers to use. What happens next
is up to OpenSSL.

3. You are bumping the TLS client during SslBump step2. In this case,
Squid should give TLS client ciphers to OpenSSL. What happens next is up
to OpenSSL.

4. You are bumping the TLS client during SslBump step3. I am not sure
what should happen here, but perhaps Squid should, during step2, forward
TLS client ciphers that Squid supports, in TLS client order. I do not
know whether Squid actually does that.

To understand why ciphers are reordered, you need to figure out which
use case applies to your test and, if applicable, investigate whether
OpenSSL honors the cipher order specified in SSL_set_cipher_list() and
SSL_CTX_set_cipher_list() calls.

If you confirm that Squid should give the cipher list to OpenSSL in your
use case, and OpenSSL should honor the cipher order, then you can look
for Squid bugs, but that will probably require debugging log analysis
and developer-level expertise.


See also:
http://lists.squid-cache.org/pipermail/squid-users/2021-January/023155.html


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users