Re: [squid-users] Squid 3.2.1 Reverse Proxy SSL Security

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 01 Aug 2013 16:14:42 +1200

On 2013-08-01 13:00, PSA4444 wrote:
> I run some websites behind a squid reverse proxy with SSL enabled.
>
> I ran the free SSL Labs assessment on it and found the following
> problems:
>
> https://www.ssllabs.com/ssltest/
>
> SSL_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40
> SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40
> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40
> SSL_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
>
>
> How can I disable these weak cipher suites?
>

http://www.squid-cache.org/Doc/config/https_port/

Use the cipher= option on your https_port to set an explicit set of
ciphers which are to be supported there.

It takes the usual TLSv1:!SSLv2:RC4!aNULL:!eNULL:!3DES style of syntax.

> I also want to disable TLS compression.
>

I'm not certain about on this one. It may be an option= parameter
available, or something needed in the openssl system-wide config file.

Amos
Received on Thu Aug 01 2013 - 04:14:46 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 01 2013 - 12:00:32 MDT