I just committed an SSL policy change to trunk to improve default
SSL/TLS security a bit.
Disable OpenSSL SSL/TLS bug workarounds by default
On a closer inspection the set of "harmless" SSL/TLS bug workarounds
set by SSL_OP_ALL is not all of them harmless and reduces the SSL/TLS
strength to some attacks.
To revert to the older mode the ALL option can be set explicitly, but
it's better to understand which bug is encountered and enable only that
specific workaround if needed.
We may want to have this backported to 3.2.
The functionality of this change is the same as always specifying -ALL
followed by any other SSL options you may have in your Squid
configuration.
Applies to
https_port options=...
cache_peer ssloptions=...
sslproxy_options ...
Regards
Henrik
Received on Sat Jan 21 2012 - 23:23:54 MST
This archive was generated by hypermail 2.2.0 : Sun Jan 22 2012 - 12:00:13 MST