Re: [squid-users] Reverse Proxy SSL Options

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 20 Mar 2010 00:45:27 +1300

Matus UHLAR - fantomas wrote:
> On 18.03.10 13:12, Dean Weimer wrote:
>> We have multiple websites using a certificate that has subject
>> alternative names set to use SSL for the multiple domains. That part is
>> working fine, and traffic will pass through showing with Valid
>> certificates. However, I need to Disable it from answering with weak
>> ciphers and SSLv2 to pass the scans.
>
> check https_port options cipher= and options=
>
> for the latter you can play with "openssl ciphers".
> I use (not on squid), "DEFAULT:!EXP"

@Dean: Thanks for bringing this up. I've now updated the config
documentation to actually mention those details.

In short for "options":
                 NO_SSLv2 Disallow the use of SSLv2
                 NO_SSLv3 Disallow the use of SSLv3
                 NO_TLSv1 Disallow the use of TLSv1
                 SINGLE_DH_USE
                         Always create a new key when using
                         temporary/ephemeral DH key exchanges

         These options vary depending on your SSL engine.
         See the OpenSSL SSL_CTX_set_options documentation for a
         complete list of possible options.

"ciphers" is a comma separated list of ciphers which are to be accepted.
I'm only going on second-hand info but think it's like "SHA1,SHA256" etc.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
   Current Beta Squid 3.1.0.18
Received on Fri Mar 19 2010 - 11:45:36 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 19 2010 - 12:00:05 MDT