Squid configuration manual

Reference manual for squid's configuraiton directives

View the Project on GitHub

Index Alphabetical Index

Option Name:

tls_outgoing_options

Suggested Config:

Details:

disable		Do not support https:// URLs.

cert=/path/to/client/certificate
		A client X.509 certificate to use when connecting.

key=/path/to/client/private_key
		The private key corresponding to the cert= above.

		If key= is not specified cert= is assumed to
		reference a PEM file containing both the certificate
		and private key.

cipher=...	The list of valid TLS ciphers to use.

min-version=1.N
		The minimum TLS protocol version to permit.
		To control SSLv3 use the options= parameter.
		Supported Values: 1.0 (default), 1.1, 1.2, 1.3

options=...	Specify various TLS/SSL implementation options.

		OpenSSL options most important are:

		    NO_SSLv3    Disallow the use of SSLv3

		    SINGLE_DH_USE
			      Always create a new key when using
			      temporary/ephemeral DH key exchanges

		    NO_TICKET
			      Disable use of RFC5077 session tickets.
			      Some servers may have problems
			      understanding the TLS extension due
			      to ambiguous specification in RFC4507.

		    ALL       Enable various bug workarounds
			      suggested as "harmless" by OpenSSL
			      Be warned that this reduces SSL/TLS
			      strength to some attacks.

			See the OpenSSL SSL_CTX_set_options documentation
			for a more complete list.

		GnuTLS options most important are:

		    %NO_TICKETS
			      Disable use of RFC5077 session tickets.
			      Some servers may have problems
			      understanding the TLS extension due
			      to ambiguous specification in RFC4507.

			See the GnuTLS Priority Strings documentation
			for a more complete list.
			http://www.gnutls.org/manual/gnutls.html#Priority-Strings


cafile=		PEM file containing CA certificates to use when verifying
		the peer certificate. May be repeated to load multiple files.

capath=		A directory containing additional CA certificates to
		use when verifying the peer certificate.
		Requires OpenSSL or LibreSSL.

crlfile=... 	A certificate revocation list file to use when
		verifying the peer certificate.

flags=...	Specify various flags modifying the TLS implementation:

		DONT_VERIFY_PEER
			Accept certificates even if they fail to
			verify.
		DONT_VERIFY_DOMAIN
			Don't verify the peer certificate
			matches the server name

default-ca[=off]
		Whether to use the system Trusted CAs. Default is ON.

domain= 	The peer name as advertised in its certificate.
		Used for verifying the correctness of the received peer
		certificate. If not specified the peer hostname will be
		used.
Index Alphabetical Index