On 1/12/18 3:26 pm, John Refwe wrote:
> I have an error when going to a site that is set to be ssl-bumped in squid.
> I have modified my squid config so that I have not specified any ciphers
> (I read in another forum post this would be the way to make it closest
> to the standard openssl).
This should be:
tls_outgoing_options options=NO_TICKET,ALL,No_SSLv3 min-version=1.0
That use of "ALL" there is a bit obscure. What it actually does is
*enable* all sorts of unsafe security features the library would
normally disable by default. Such as 8-bit hashes and very insecure RSA
The min-version is only required if the library defaults to actively
rejecting TLS/1.0 or such.
To let the library use its defaults you simply do not configure Squid to
require anything at all (ie remove the tls_outgoing_options directive