On 28/02/19 12:25 pm, Stilyan Georgiev wrote: > When testing like so: openssl s_client -connect google.com:443 > I get tls1.2 back > > Via mobile chrome browser (android) and the proxy I get tls1.3 > Truly don't understand :) >
I expect that Chrome is using their own custom SSL library and HTTP/3 protocol which does not go through Squid. The openssl test will be strictly using a single TCP connection with a CONNECT tunnels through your Squid. The SSL-Bump process you have setup will be bumpign that and Squid begotiating teh TLS versio you have configured. The Chrome on the other hand may be negotiating TLS/1.3 handshake via side channels and then resuming it as a normal TLS session resumption over the Squid connection, OR possibly not even going via the proxy at all (aka QUIC, HTTP/3). Google products also has a preference for using Googles custom SSL library rather than OpenSSL - so your custom OpenSSL may not be relevant at the client endpoint. Whereas the openssl tools will be naturally be using libssl like Squid. If you are not using SSL-Bump in the way(s) indicated previously by Alex, then your custom OpenSSL build and squid.conf options are irrelevant. The CONNECT traffic would be going straight through the proxy without being touched. To have any control over TLS the proxy must be an _active_ agent participating in the TLS handshake. HTH Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
