Can I use Squid to upgrade client TLS connections?

Question

I\'m trying to allow legacy systems (CentOS 5.x) to continue making connections to services which will shortly allow only TLS v1.1 or TLS v1.2 connections (Salesforce, vario

Answer 1

I was able to get this working by only bumping at step1, and not peeking or staring. The final configuration that I used (with comments) is below:

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

# Write access and cache logs to disk immediately using the stdio module.

access_log stdio:/var/log/squid/access.log
cache_log  /var/log/squid/cache.log

# Define ACLs related to ssl-bump steps.

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

# The purpose of this instance is not to cache, so disable that.

cache_store_log none
cache           deny all

# Set up http_port configuration. All clients will be explicitly specifying
# use of this proxy instance, so https_port interception is not needed.

http_access allow all
http_port   3128 ssl-bump cert=/etc/squid/certs/squid.pem \
            generate-host-certificates=on version=1

# Bump immediately at step 1. Peeking or staring at steps one or two will cause
# part or all of the TLS HELLO message to be duplicated from the client to the
# server; this includes the TLS version in use, and the purpose of this proxy
# is to upgrade TLS connections.

ssl_bump bump step1 all