我是否可以使用Squid升级客户端TLS连接？

Question

我正在尝试允许遗留系统(Salesforce 5.x)继续连接到很快将只允许TLSV1.1或TLSV1.2连接的服务(CentOS、各种支付网关等)。

我已经在一个docker容器中的Centos 7服务器上安装了Squid 3.5，并且正在尝试配置squid以增加SSL连接。我的想法是，由于squid充当MITM并打开一个到客户端的连接和一个到目标服务器的连接，因此它将协商到目标的TLS1.2连接，而客户端使用SSLv3或TLS1.0进行连接。

我在这里是完全错误的吗，或者这应该是可能的吗？如果Squid不能做到这一点，有没有其他的代理可以做到呢？

我当前的squid配置如下所示：

access_log      /var/log/squid/access.log
cache_log       /var/log/squid/cache.log

cache_store_log none
cache           deny all

http_access     allow all
http_port       3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on version=1

ssl_bump        stare all
ssl_bump        bump all

Answer 1

我只需要撞一下step1，而不是偷看或盯着看，就能让它正常工作。我使用的最终配置(带注释)如下：

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

# Write access and cache logs to disk immediately using the stdio module.

access_log stdio:/var/log/squid/access.log
cache_log  /var/log/squid/cache.log

# Define ACLs related to ssl-bump steps.

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

# The purpose of this instance is not to cache, so disable that.

cache_store_log none
cache           deny all

# Set up http_port configuration. All clients will be explicitly specifying
# use of this proxy instance, so https_port interception is not needed.

http_access allow all
http_port   3128 ssl-bump cert=/etc/squid/certs/squid.pem \
            generate-host-certificates=on version=1

# Bump immediately at step 1. Peeking or staring at steps one or two will cause
# part or all of the TLS HELLO message to be duplicated from the client to the
# server; this includes the TLS version in use, and the purpose of this proxy
# is to upgrade TLS connections.

ssl_bump bump step1 all