Squid configuration directive tls_outgoing_options

Available in: 4  

History:

Changes to tls_outgoing_options in Squid-4:

New directive to define TLS security context options for outgoing connections. For example to HTTPS servers.

This directive is not available in the 3.5 version of Squid.

For older versions than 3.3 see the linked pages above

Configuration Details:

Option Name:tls_outgoing_options
Replaces:
Requires:--with-gnutls or --with-openssl
Default Value:tls_outgoing_options min-version=1.0
Suggested Config:

	disable		Do not support https:// URLs.
	
	cert=/path/to/client/certificate
			A client TLS certificate to use when connecting.
	
	key=/path/to/client/private_key
			The private TLS key corresponding to the cert= above.
			If key= is not specified cert= is assumed to reference
			a PEM file containing both the certificate and the key.
	
	cipher=...	The list of valid TLS ciphers to use.

	min-version=1.N
			The minimum TLS protocol version to permit.
			To control SSLv3 use the options= parameter.
			Supported Values: 1.0 (default), 1.1, 1.2

	options=...	Specify various TLS/SSL implementation options.

			OpenSSL options most important are:

			    NO_SSLv3    Disallow the use of SSLv3

			    SINGLE_DH_USE
				      Always create a new key when using
				      temporary/ephemeral DH key exchanges

			    NO_TICKET
				      Disable use of RFC5077 session tickets.
				      Some servers may have problems
				      understanding the TLS extension due
				      to ambiguous specification in RFC4507.

			    ALL       Enable various bug workarounds
				      suggested as "harmless" by OpenSSL
				      Be warned that this reduces SSL/TLS
				      strength to some attacks.

				See the OpenSSL SSL_CTX_set_options documentation
				for a more complete list.

			GnuTLS options most important are:

			    %NO_TICKETS
				      Disable use of RFC5077 session tickets.
				      Some servers may have problems
				      understanding the TLS extension due
				      to ambiguous specification in RFC4507.

				See the GnuTLS Priority Strings documentation
				for a more complete list.
				http://www.gnutls.org/manual/gnutls.html#Priority-Strings

	
	cafile=		PEM file containing CA certificates to use when verifying
			the peer certificate. May be repeated to load multiple files.

	capath=		A directory containing additional CA certificates to
			use when verifying the peer certificate.
			Requires OpenSSL or LibreSSL.
	
	crlfile=... 	A certificate revocation list file to use when
			verifying the peer certificate.
	
	flags=...	Specify various flags modifying the TLS implementation:
	
			DONT_VERIFY_PEER
				Accept certificates even if they fail to
				verify.
			DONT_VERIFY_DOMAIN
				Don't verify the peer certificate
				matches the server name
	
	default-ca[=off]
			Whether to use the system Trusted CAs. Default is ON.
	
	domain= 	The peer name as advertised in its certificate.
			Used for verifying the correctness of the received peer
			certificate. If not specified the peer hostname will be
			used.

 

Back

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors