Squid4 with GnuTLS - specify ciphers or disable protocols

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid4 with GnuTLS - specify ciphers or disable protocols

Martin Hoffmann
I'm using squid 4.4 as remote proxy for an https server.
Squid 4.4 comes from Debian testing and is compiled with --with-gnutls (no openssl support).

How can I disable certain cipher suites or protocols (like TLS 1.0) ?

From my understanding I should add tls-min-version=1.1 to https_port - but that is ignored...?
Where can I add GnuTLS priority strings to disable certain ciphers ?

I guess Documentation about https_port is somewhat misleading as it often refers to the openssl config.

Thanks in advanced for any help.

Regards, Martin

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid4 with GnuTLS - specify ciphers or disable protocols

Amos Jeffries
Administrator
On 10/11/18 7:04 AM, Martin Hoffmann wrote:
> I'm using squid 4.4 as remote proxy for an https server.
> Squid 4.4 comes from Debian testing and is compiled with --with-gnutls
> (no openssl support).
>
> How can I disable certain cipher suites or protocols (like TLS 1.0) ?
>
> From my understanding I should add tls-min-version=1.1 to https_port -
> but that is ignored...?

Hmm, I think I've found a bug in there which would cause that.


> Where can I add GnuTLS priority strings to disable certain ciphers ?
>

Use "tls-options=". It is not yet documented since it has not had much
testing. For GnuTLS it should take a ':' separated list of priority strings.

FWIW: To work around the above tls-min-version bug, you should add the
priority string ":-VERS-TLS1.0" to that list of your custom ones. That
is what the min-version options should have been doing but clearly is not.


> I guess Documentation about https_port is somewhat misleading as it
> often refers to the openssl config.

Most documentation is still about OpenSSL because that is the older
feature set.

Settings that are named with "tls" prefixes have been given GnuTLS
support and should work for either library unless explicitly stated as
requiring one in particular.


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid4 with GnuTLS - specify ciphers or disable protocols

Martin Hoffmann
In reply to this post by Martin Hoffmann
Thanks for your quick reply.

Are your sure that tls-options *is working*?

It seems that no matter what options I give to tls-options everything is ignored:

https_port 192.168.x.y:443 tls-cert=/path/cert.crt tls-key=/path/cert.key tls-dh=/path/dhparams.pem tls-options=NORMAL:-VERS-TLS1.0 accel defaultsite=my.domain.com


I have even tried tls-options=SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2  - but in the end its all the same, TLS 1.0, 1.1 and 1.2 are enabled and all the same cipher suites are active. Absolute identical to omitting tls-options=... altogether.

Any idea?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid4 with GnuTLS - specify ciphers or disable protocols

Amos Jeffries
Administrator
On 12/11/18 11:05 PM, Martin Hoffmann wrote:
> Thanks for your quick reply.
>
> Are your sure that tls-options *is working*?
>

Nope, as I said earlier it is not tested much. Just that it builds and
passes the strings as-is to the library. It should "just work" since the
library is doing all the lifting.

The server connection side has had a bit more, testing that TLS version
restriction worked there.


> It seems that no matter what options I give to tls-options everything is
> ignored:
>
> https_port 192.168.x.y:443 tls-cert=/path/cert.crt
> tls-key=/path/cert.key tls-dh=/path/dhparams.pem
> tls-options=NORMAL:-VERS-TLS1.0 accel defaultsite=my.domain.com
> <http://my.domain.com>
>
>
> I have even
> tried tls-options=SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2  - but in
> the end its all the same, TLS 1.0, 1.1 and 1.2 are enabled and all the
> same cipher suites are active. Absolute identical to
> omitting tls-options=... altogether.
>
> Any idea?
>

Hmm. Looking into it now.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users