>On 18.03.10 13:12, Dean Weimer wrote: >> We have multiple websites using a certificate that has subject >> alternative names set to use SSL for the multiple domains. That part >> is working fine, and traffic will pass through showing with Valid >> certificates. However, I need to Disable it from answering with weak >> ciphers and SSLv2 to pass the scans. >check https_port options cipher= and options= >for the latter you can play with "openssl ciphers". >I use (not on squid), "DEFAULT:!EXP" >-- >Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ >Warning: I wish NOT to receive e-mail advertising to this address. >Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. >I feel like I'm diagonally parked in a parallel universe. Thanks for the info that worked, almost, I added the following entries. sslproxy_options NO_SSLv2 sslproxy_cipher ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 I stole the cipher options from an apache server that was passing the PCI scans. This still caused it to fail the scans. When I entered the same configuration in the https_port line, however it worked. Example(IP and domain name has been changed): https_port 192.168.1.2:443 accel cert=/usr/local/squid/etc/certs/test.crt key=/usr/local/squid/etc/certs/test.key defaultsite=www.default.com vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 Do the sslproxy_* lines only effect the squid outbound connections to the back end servers? Or are both settings possibly required? In the successful test scan I had both Set. I am willing to test some other options if anyone wants me to, I have untill Tuesday before the system needs to be live, its currently only accessible to internal clients with a hosts file entry and is being tested with a Rapid7 Nexpose scanner. Thanks, Dean Weimer
