Looking under the hood, it looks like OpenSSL 1.1.1a is the default install on FreeBSD 12.0-RELEASE base. We use Squid 4.4 & Apache 2.4.37 both of which had to be recompiled.
Just a few notes if you share a similar configuration:
- build /usr/ports/security/openssl111/ or use pkg
## modify /etc/make.conf to reflect DEFAULT_VERSIONS+=ssl=openssl111 ## modify httpd.conf to reflect something similar to these: SSLProtocol -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3 SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA
Once all modifications are finalized, restart Apache and fire up https://www.ssllabs.com/ssltest/ to verify.
To verify with Squid, use
$ squid -v Squid Cache: Version 4.4 Service Name: squid
This binary uses OpenSSL 1.1.1a 20 Nov 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html
Please note the above configuration purposely disables SSLv3 & TLSv1.0-1.1 – only TLSv1.2 and 1.3 are enabled with corresponding ciphersuites. All other connections will fail.