SSL version default

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 24 Jan 2011 01:52:34 +0000

On Mon, 24 Jan 2011 01:38:57 +0100, Henrik Nordström wrote:
> fre 2011-01-21 klockan 11:31 +0100 skrev Ralf Hildebrandt:
>> > >1294685115.286 0 10.43.120.109 NONE/501 4145 POST
>> > >https://enis.eurotransplant.nl/donor-webservice/dpa?WDSL -
HIER_NONE/-
>> > >text/html
>>
>> So, I enabled SSL using --enable-ssl and now I'm getting:
>>
>> 1295605546.943 313 141.42.231.227 TCP_MISS/503 4251 GET
>> https://enis.eurotransplant.nl/donor-webservice/dpa?WDSL -
>> HIER_DIRECT/194.151.178.174 text/html
>> and the error output consists of the ERR_SECURE_CONNECT_FAIL error
>> message
>
> In both cases Squid received an https:// request unencrypted over plain
> HTTP.
>
> In the first case, as your Squid did not have SSL support if could not
> forward the request at all, as it can not wrap the unencrypted request
> in SSL/TLS for forwardning to the requested server.
>
> In the section case Squid and the server did not agree on the SSL
> protocol.
>
> If using this http->https gatewaying capability then you should
> configure Squid to not use SSLv2. SSLv2 is considered broken beyond
> repair these days. See sslproxy_options for how to tune this in Squid.
>

Which brings up a point of whether its worth and possible to drop SSLv2
from the defaults?
  Making SSLv3-only or TLSv1-only the default from Squid-3.2 onwards.

I believe this patch should do it.

Amos

Received on Mon Jan 24 2011 - 01:52:39 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 25 2011 - 12:00:05 MST