>On 18.03.10 13:12, Dean Weimer wrote:
>> We have multiple websites using a certificate that has subject
>> alternative names set to use SSL for the multiple domains. That part
>> is working fine, and traffic will pass through showing with Valid
>> certificates. However, I need to Disable it from answering with weak
>> ciphers and SSLv2 to pass the scans.
>check https_port options cipher= and options=
>for the latter you can play with "openssl ciphers".
>I use (not on squid), "DEFAULT:!EXP"
>--
>Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
>Warning: I wish NOT to receive e-mail advertising to this address.
>Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>I feel like I'm diagonally parked in a parallel universe.
Thanks for the info that worked, almost, I added the following entries.
sslproxy_options NO_SSLv2
sslproxy_cipher
ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
I stole the cipher options from an apache server that was passing the
PCI scans. This still caused it to fail the scans.
When I entered the same configuration in the https_port line, however it
worked.
Example(IP and domain name has been changed):
https_port 192.168.1.2:443 accel
cert=/usr/local/squid/etc/certs/test.crt
key=/usr/local/squid/etc/certs/test.key defaultsite=www.default.com
vhost options=NO_SSLv2
cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
Do the sslproxy_* lines only effect the squid outbound connections to
the back end servers?
Or are both settings possibly required? In the successful test scan I
had both Set.
I am willing to test some other options if anyone wants me to, I have
untill Tuesday before the system needs to be live, its currently only
accessible to internal clients with a hosts file entry and is being
tested with a Rapid7 Nexpose scanner.
Thanks,
Dean Weimer
Received on Fri Mar 19 2010 - 15:09:58 MDT
This archive was generated by hypermail 2.2.0 : Fri Mar 19 2010 - 12:00:05 MDT