Bug #15614
open
Squid 6.6 Package should have NO_TLSv1 and NO_TLSv1_1 feature flags set on directive pls_outgoing_options
0%
Description
$sslproxy_options = "NO_SSLv3, NO_TLSv1, NO_TLSv1_1";
This variable is also used with
tls_outgoing_options
However without the feature flags set TLS1 and TLS1_1 is being used, this can be seen inside of pcap files. This causes issues with websites sending change cipher requests. Please set this directive's feature flags to no longer use TLS1 or TLS1.1. This leaves TLS1.2 and TLS1.3 for use with the proxy. I have confirmed this forces use of TLS1.2 and TLS1.3. With this feature flag set TLS1 and 1.1 are no longer seen in pcap files when communicating with the proxy. The pcap files were generated inside of pfsense to find this issue.
This fix forces the proxy to use TLS1_2 and TLS1_3 only.
PCAP files can verify this fix to Squid package
See GitHub I mixed up the merge and it turned into a revert and I could not revert the revert so I canceled it but it turned into a draft with 1 million merges. Still learning
@$crt_cafile = SQUID_LOCALBASE . "/share/certs/ca-root-nss.crt";
$sslproxy_options = "NO_SSLv3, NO_TLSv1, NO_TLSv1_1";
/* XXX: Bug #4453, Bug #6592, Feature #6593, Bug #6563
* http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Modern_DH.2FEDH_ciphers_usage
*/
if (empty($settings['sslproxy_compatibility_mode']) || ($settings['sslproxy_compatibility_mode'] == 'modern')) {
// Modern cipher suites
$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";
$sslproxy_options .= ",NO_TLSv1";
} else {
$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EE@
Line 1233 has fix
Ref: https://github.com/pfsense/FreeBSD-ports/commit/adc3e1c77539d69a34a91926b5eebfa35a11d101
Updated by Jonathan Lee 6 days ago
www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
Line 1233 needs feature flags added