Matus UHLAR - fantomas wrote:
On 18.03.10 13:12, Dean Weimer wrote:
We have multiple websites using a certificate that has subject
alternative names set to use SSL for the multiple domains. That part is
working fine, and traffic will pass through showing with Valid
certificates. However, I need to Disable it from answering with weak
ciphers and SSLv2 to pass the scans.
check https_port options cipher= and options=
for the latter you can play with "openssl ciphers".
I use (not on squid), "DEFAULT:!EXP"
@Dean: Thanks for bringing this up. I've now updated the config
documentation to actually mention those details.
In short for "options":
NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1
SINGLE_DH_USE
Always create a new key when using
temporary/ephemeral DH key exchanges
These options vary depending on your SSL engine.
See the OpenSSL SSL_CTX_set_options documentation for a
complete list of possible options.
"ciphers" is a comma separated list of ciphers which are to be accepted.
I'm only going on second-hand info but think it's like "SHA1,SHA256" etc.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
Current Beta Squid 3.1.0.18
