[squid-users] will multiple tls_outgoing_options lines be combined?

Discussion:

Amish

2018-07-03 11:23:27 UTC

Hello,

I am trying new options in squid 4.1.

For easy readability can I use tls_outgoing_options multiple times in
squid.conf?

Like this: (Tips from
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit)

tls_outgoing_options cafile=/etc/ssl/cert.pem
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
tls_outgoing_options
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

Will it merge all 3 as if mentioned on 1 single line?
Or will it pick only last (or first) option and internal defaults for rest?

I am not an SSL/TLS expert so I do not know how to test this i.e. how to
know if its really working.

For some reason "debug_options 3,9" is not generating anything in cache.log.

Note: Debug Section 3 = Configuration File Parsing

Thanks in advance,

Amish.

Amos Jeffries

2018-07-03 12:37:22 UTC

Permalink

Post by Amish
Hello,
I am trying new options in squid 4.1.
For easy readability can I use tls_outgoing_options multiple times in
squid.conf?

Yes. Provided the options specified on each are different.

Post by Amish
Like this: (Tips from
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit)
tls_outgoing_options cafile=/etc/ssl/cert.pem
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
tls_outgoing_options
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
Will it merge all 3 as if mentioned on 1 single line?

The above will, yes.

Post by Amish
Or will it pick only last (or first) option and internal defaults for rest?

Each option in the directive replaces previous values of that same option.

For example;

tls_outgoing_options cipher=A cipher=B

is the same as:

tls_outgoing_options cipher=B

Since above you are setting different named option on every line, your
setup is equivalent to all the options being on one line.

However, Squid understands line wrapping. So this question is not very
useful. You could simplify even further like this:

tls_outgoing_options \
cafile=/etc/ssl/cert.pem \
options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE \
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:....

Post by Amish
I am not an SSL/TLS expert so I do not know how to test this i.e. how to
know if its really working.

Then its a good sign you are asking for help. TLS is a pit of troubles
for the unaware. To successfully manage use of SSL-Bump features you
need at least an understanding of how the TLS protocol operates.
Note that is *not* the crypto, just how the messaging works.

This directive controls what capabilities Squid lets your OpenSSL
library advertise in clientHello and TLS extension messages sent to
servers (not cache_peer) during a TLS handshake.
So to debug use something like wireshark to look at the packets and see
what the handshake contains.

Amos

Amish

2018-07-03 13:45:06 UTC

Permalink

Post by Amos Jeffries

Post by Amish
Or will it pick only last (or first) option and internal defaults for rest?

Each option in the directive replaces previous values of that same option.
For example;
tls_outgoing_options cipher=A cipher=B
tls_outgoing_options cipher=B
Since above you are setting different named option on every line, your
setup is equivalent to all the options being on one line.
However, Squid understands line wrapping. So this question is not very
tls_outgoing_options \
cafile=/etc/ssl/cert.pem \
options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE \
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:....

Didn't know about line wrapping support.

But my question is still useful in my case. Writing small and quick sed
script becomes easy.

Thank you for your super quick answers!

Amish

Amos Jeffries

2018-07-03 16:44:44 UTC

Permalink

Post by Amish

Post by Amos Jeffries

Post by Amish
Or will it pick only last (or first) option and internal defaults for rest?

Each option in the directive replaces previous values of that same option.
For example;
   tls_outgoing_options cipher=A cipher=B
   tls_outgoing_options cipher=B
Since above you are setting different named option on every line, your
setup is equivalent to all the options being on one line.
However, Squid understands line wrapping. So this question is not very
tls_outgoing_options \
    cafile=/etc/ssl/cert.pem \
    options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE \
    cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:....

Didn't know about line wrapping support.
But my question is still useful in my case. Writing small and quick sed
script becomes easy.

Ah, you are thinking a automatic upgrades, right?

Watch out with that. The removal of SSLv2 settings (eg NO_SSLv2) at
times makes the new config directive halt with an OpenSSL unsupported
option error.

Amos

Continue reading on narkive:

Search results for '[squid-users] will multiple tls_outgoing_options lines be combined?' (Questions and Answers)

replies

What's your experience with Windows Vista?

started 2007-04-11 07:05:00 UTC

desktops