Thanks Amos for your quick reply,
I tried your recommendations but nothing works, I can't get TLS 1.2 to work
I get a 404 error on your patch link
Cheers,
Sebastien W.
-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: jeudi 15 mars 2012 11:32
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] RE: TLS v1.2 support
On 15/03/2012 8:41 p.m., Sébastien WENSKE wrote:
> Hello Amos,
>
> I probably did a mistake.... because I built openssl 10.0.1 in /lib_indep and specified the path in ./configure with "--with-openssl=/lib_indep/include/openssl"
> Squid works well, but no change on SSL Lab Server Test:
> https://www.ssllabs.com/ssldb/analyze.html?d=webmail.wenske.fr
Looking at it Squid has no explicit support for TLSv1.1 or 1.2. But the TLS/SSL auto-negotiate (https_port ... version=1) should be arranging for it to appear. You might need to also set the
ssloptions=NO_SSLv2,NO_SSLv3,NO_TLSv1 for the new ones to show up though.
I have a patch you can try at
http://www.squid-cache.org/~amosjeffries/patches/squid-3.1_upgrade_TLSv12.patch
It adds support for the server/client methods and NO_TLSv1_* options to help with your experimenting.
Amos
> Cheers,
> Sebastien W.
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: mercredi 14 mars 2012 22:33
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] RE: TLS v1.2 support
>
> On 15.03.2012 05:16, Sébastien WENSKE wrote:
>> OpenSSL 1.0.1 (not 10.0.1)
>>
>> -----Original Message-----
>> From: Sébastien WENSKE [mailto:sebastien_at_wenske.fr]
>> Sent: mercredi 14 mars 2012 17:14
>> To: squid-users_at_squid-cache.org
>> Subject: [squid-users] TLS v1.2 support
>>
>> Hi guys,
>>
>> OpenSSL 10.01 just released, it seems that it supports TLS v1.2.
>>
> Thanks for the heads-up.
>
>
>> What about Squid?
> Squid supports whatever the library you build it with does.
>
> About the only relevance a change like this has is if there are new options which we have to map from squid.conf to the OpenSSL API calls ("NO_TLSv11" or such.). Or if they do some more ABI-breaking alterations like the 1.0.0 c->d re-write had.
>
> Amos
>
This archive was generated by hypermail 2.2.0 : Thu Mar 15 2012 - 12:00:02 MDT