RE: [squid-users] RE: TLS v1.2 support

Thu, 15 Mar 2012 05:09:37 -0700 

Thanks Amos for your quick reply,

I tried your recommendations but nothing works, I can't get TLS 1.2 to work

I get a 404 error on your patch link

Cheers,
Sebastien W.

-----Original Message-----
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: jeudi 15 mars 2012 11:32
To: squid-users@squid-cache.org
Subject: Re: [squid-users] RE: TLS v1.2 support

On 15/03/2012 8:41 p.m., Sébastien WENSKE wrote:
> Hello Amos,
>
> I probably did a mistake.... because I built openssl 10.0.1 in /lib_indep and 
> specified the path in ./configure with 
> "--with-openssl=/lib_indep/include/openssl"
> Squid works well, but no change on SSL Lab Server Test: 
> https://www.ssllabs.com/ssldb/analyze.html?d=webmail.wenske.fr

Looking at it Squid has no explicit support for TLSv1.1 or 1.2. But the TLS/SSL 
auto-negotiate (https_port ... version=1) should be arranging for it to appear. 
 You might need to also set the
ssloptions=NO_SSLv2,NO_SSLv3,NO_TLSv1 for the new ones to show up though.

I have a patch you can try at
http://www.squid-cache.org/~amosjeffries/patches/squid-3.1_upgrade_TLSv12.patch
It adds support for the server/client methods and NO_TLSv1_* options to help 
with your experimenting.

Amos

> Cheers,
> Sebastien W.
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squ...@treenet.co.nz]
> Sent: mercredi 14 mars 2012 22:33
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] RE: TLS v1.2 support
>
> On 15.03.2012 05:16, Sébastien WENSKE wrote:
>> OpenSSL 1.0.1  (not 10.0.1)
>>
>> -----Original Message-----
>> From: Sébastien WENSKE [mailto:sebast...@wenske.fr]
>> Sent: mercredi 14 mars 2012 17:14
>> To: squid-users@squid-cache.org
>> Subject: [squid-users] TLS v1.2 support
>>
>> Hi guys,
>>
>> OpenSSL 10.01 just released, it seems that it supports TLS v1.2.
>>
> Thanks for the heads-up.
>
>
>> What about Squid?
> Squid supports whatever the library you build it with does.
>
> About the only relevance a change like this has is if there are new options 
> which we have to map from squid.conf to the OpenSSL API calls ("NO_TLSv11" or 
> such.). Or if they do some more ABI-breaking alterations like the 1.0.0 c->d 
> re-write had.
>
> Amos
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to