Closed mspublic closed 1 week ago
The tls_client config here only affect https_forward requests. Currently we don't support set outgoing tls protocol versions in tls interception.
To support custom TLS client config for HTTP CONNECT requests, you need to use user-site config.
Add the following to main.yaml
:
user-group:
- name: default
anonymous_user:
name: anonymous
audit:
enable_protocol_inspection: true
explicit_sites:
- id: browserleaks
exact_match: browserleaks.com
tls_client:
protocol: tls1.2
And you need to change the http_proxy
server config to include user-group: default
.
All requests without user auth information will match that anonymous_user config.
(This will also overwrite the tls client config at server side for https_forward requests)
Thanks! I will give it a try. Does it require setting explicit sites or can it be used across all?
It only work for the matched sites.
Could this be a feature request in the future? Thanks!
It's possible but I'm wondering whether it's really needed for all tls connections.
We use it to match certain browser configs - similar to https://github.com/bytedance/g3/issues/138.
You can set max/min tls version after this commit e9b41b684d04365f899bed2454346ef5b7292feb
I am trying to set the tls client protocol for outgoing requests (that are intercepted) the value does not appear to be respected. For example I set it to tls1.2 but when I test with https://browserleaks.com/tls it always shows 1.3. This happens with openssl and boringssl. Example config: