Discussion:
[squid-users] Bumping TLS 1.3
Turnbull, John
2018-10-25 00:21:00 UTC
Permalink
I was wondering about bumping TLS 1.3 connections and if you think that will ever be supported.


Thanks,

John Turnbull
Amos Jeffries
2018-10-25 09:03:38 UTC
Permalink
Post by Turnbull, John
I was wondering about bumping TLS 1.3 connections and if you think that
will ever be supported.
Probably. ETA indeterminate.

To quote myself from the docs:
"When used properly TLS cannot be bumped".

What Squid does now is take advantage of shortcuts and workarounds many
installations use(d) to avoid trouble or administration hassles with
TLS/SSL.

Bump only works at all when those shortcuts allow Squid to impose itself
as MITM into the handshake sequence. TLS/1.3 does not change that
situation - just the code needed to do the insertion will have to be
redesigned a fair bit (already underway AFAIK).


What TLS/1.3 brings to the situation differently is hiding a lot of
details like SNI and server cert that were previously available up-front
for the admin to selectively *avoid* bumping traffic they thought was okay.

So admin will soon / now be faced with having to bump *everything* and
block those relatively few parties actually using TLS "properly".

The reality is that *splice* is the ability TLS/1.3 makes harder to do
reliably.

Amos

Continue reading on narkive:
Loading...