TLS client protocol does not seem to be properly set from config

[mspublic]

I am trying to set the tls client protocol for outgoing requests (that are intercepted) the value does not appear to be respected. For example I set it to tls1.2 but when I test with https://browserleaks.com/tls it always shows 1.3. This happens with openssl and boringssl. Example config:

- name: proxy
    escaper: default
    auditor: default
    type: http_proxy
    listen:
      address: "[::]:4000"
    tls_client:
      protocol: tls1.2

[zh-jq-b]

The tls_client config here only affect https_forward requests. Currently we don't support set outgoing tls protocol versions in tls interception.

[zh-jq]

To support custom TLS client config for HTTP CONNECT requests, you need to use user-site config. Add the following to main.yaml:

user-group:
 - name: default
   anonymous_user:
     name: anonymous
     audit:
       enable_protocol_inspection: true
     explicit_sites:
       - id: browserleaks
         exact_match: browserleaks.com
         tls_client:
           protocol: tls1.2

And you need to change the http_proxy server config to include user-group: default. All requests without user auth information will match that anonymous_user config. (This will also overwrite the tls client config at server side for https_forward requests)

[mspublic]

Thanks! I will give it a try. Does it require setting explicit sites or can it be used across all?

[zh-jq]

It only work for the matched sites.

[mspublic]

Could this be a feature request in the future? Thanks!

[zh-jq]

It's possible but I'm wondering whether it's really needed for all tls connections.

[mspublic]

We use it to match certain browser configs - similar to https://github.com/bytedance/g3/issues/138.

[zh-jq-b]

You can set max/min tls version after this commit e9b41b684d04365f899bed2454346ef5b7292feb