Hi, I've set up a firewall and proxy with pf & Squid on FreeBSD. Is it possible to observe and filter with squid which cipher suite is selected between end points (client and server) without changing their SSL certificate, without mimicking server certificate?
My main goal is to avoid weak ciphers that parties agree upon. I want to force my clients to use modern algorithms while surfing on internet filtered by Squid. For example, if client and server get on MD5 or SHA1, DES or RC4 included cipher suite, or on SSLv3, or, if server sends my client a certificate signed with SHA1, or an expired certificate etc., I want to ban the traffic. There is a directive '*tls_outgoing_options*' in Squid and it has '*cipher*' and '*min-version*' configurations. Do these configurations satisfy my goal? Sincerely, Ali Note: I already asked this question in https://serverfault.com/questions/987463/filtering-cipher-suites-and-certificate-algorithms-without-man-in-the-middle & https://crypto.stackexchange.com/questions/74936/observing-cipher-suites-and-certificate-algorithms-without-man-in-the-middle
_______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
