Search squid archive

Re: Reverse Proxy SSL Options

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Matus UHLAR - fantomas wrote:
On 18.03.10 13:12, Dean Weimer wrote:
We have multiple websites using a certificate that has subject
alternative names set to use SSL for the multiple domains.  That part is
working fine, and traffic will pass through showing with Valid
certificates.  However, I need to Disable it from answering with weak
ciphers and SSLv2 to pass the scans.

check https_port options cipher= and options=

for the latter you can play with "openssl ciphers".
I use (not on squid), "DEFAULT:!EXP"


@Dean: Thanks for bringing this up. I've now updated the config documentation to actually mention those details.

In short for "options":
                NO_SSLv2  Disallow the use of SSLv2
                NO_SSLv3  Disallow the use of SSLv3
                NO_TLSv1  Disallow the use of TLSv1
                SINGLE_DH_USE
                        Always create a new key when using
                        temporary/ephemeral DH key exchanges

        These options vary depending on your SSL engine.
        See the OpenSSL SSL_CTX_set_options documentation for a
        complete list of possible options.

"ciphers" is a comma separated list of ciphers which are to be accepted. I'm only going on second-hand info but think it's like "SHA1,SHA256" etc.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
  Current Beta Squid 3.1.0.18

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux