Matus UHLAR - fantomas wrote:
> On 18.03.10 13:12, Dean Weimer wrote:
>> We have multiple websites using a certificate that has subject
>> alternative names set to use SSL for the multiple domains. That part is
>> working fine, and traffic will pass through showing with Valid
>> certificates. However, I need to Disable it from answering with weak
>> ciphers and SSLv2 to pass the scans.
>
> check https_port options cipher= and options=
>
> for the latter you can play with "openssl ciphers".
> I use (not on squid), "DEFAULT:!EXP"
@Dean: Thanks for bringing this up. I've now updated the config
documentation to actually mention those details.
In short for "options":
NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1
SINGLE_DH_USE
Always create a new key when using
temporary/ephemeral DH key exchanges
These options vary depending on your SSL engine.
See the OpenSSL SSL_CTX_set_options documentation for a
complete list of possible options.
"ciphers" is a comma separated list of ciphers which are to be accepted.
I'm only going on second-hand info but think it's like "SHA1,SHA256" etc.
Amos
-- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18Received on Fri Mar 19 2010 - 11:45:36 MDT
This archive was generated by hypermail 2.2.0 : Fri Mar 19 2010 - 12:00:05 MDT