pfSense » pfSense Packages

$sslproxy_options = "NO_SSLv3, NO_TLSv1, NO_TLSv1_1";

This variable is also used with

tls_outgoing_options

However without the feature flags set TLS1 and TLS1_1 is being used, this can be seen inside of pcap files. This causes issues with websites sending change cipher requests. Please set this directive's feature flags to no longer use TLS1 or TLS1.1. This leaves TLS1.2 and TLS1.3 for use with the proxy. I have confirmed this forces use of TLS1.2 and TLS1.3. With this feature flag set TLS1 and 1.1 are no longer seen in pcap files when communicating with the proxy. The pcap files were generated inside of pfsense to find this issue.

This fix forces the proxy to use TLS1_2 and TLS1_3 only.

PCAP files can verify this fix to Squid package

See GitHub I mixed up the merge and it turned into a revert and I could not revert the revert so I canceled it but it turned into a draft with 1 million merges. Still learning

Path to file
https://github.com/pfsense/FreeBSD-ports/commit/adc3e1c77539d69a34a91926b5eebfa35a11d101#diff-4bded57e6574691425269cbea45651a61021ad087ed1761ebff59cb5b31c6695

@$crt_cafile = SQUID_LOCALBASE . "/share/certs/ca-root-nss.crt";
$sslproxy_options = "NO_SSLv3, NO_TLSv1, NO_TLSv1_1";
/* XXX: Bug #4453, Bug #6592, Feature #6593, Bug #6563 * http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Modern_DH.2FEDH_ciphers_usage
*/
if (empty($settings['sslproxy_compatibility_mode']) || ($settings['sslproxy_compatibility_mode'] == 'modern')) {
// Modern cipher suites
$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";
$sslproxy_options .= ",NO_TLSv1";
} else {
$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EE@

Line 1233 has fix

Ref: https://github.com/pfsense/FreeBSD-ports/commit/adc3e1c77539d69a34a91926b5eebfa35a11d101