> -----Original Message----- > From: Sébastien WENSKE [mailto:sebastien@xxxxxxxxx] > Sent: Monday, November 15, 2010 8:44 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: [Squid 3.1.9] SSL Reverse PROXY - Insecure > Renegotiation Supported > > Hello guys, > > I have set up a squid as SSL reverse proxy, it works very fine. > > I have checked SSL security against Qualys and they report me that the > server is vulnerable to MITM attacks because it supports insecured > renegotiation > > > There is my SSL relating configuration: > > https_port xx.xx.xx.xx:443 cert=/etc/squid/ssl/RapidSSL_xxx.xxxxxxx.xx.crt > key=/etc/squid/ssl/RapidSSL_xxx.xxxxxxx.xx.key options=NO_SSLv2 cipher=RSA: > HIGH:!eNULL:!aNULL:!LOW:!RC4 RSA:!RC2 RSA:!EXP:!ADH accel ignore-cc > defaultsite=xxx.xxxxxxxx.xx vhost > [...] > cache_peer 10.x.x.x parent 80 0 front-end-https=on name=sw01 no-query > originserver default login=PASS no-digest > [...] > ssl_unclean_shutdown on > [...] > > > Is it openssl related or squid configuration ???? > > > Many Thanks, > > Sebastian I have squid compiled from source against Openssl 1.0.0a, with the following options set: https_port x.x.x.x:443 accel cert=xxx.crt key=xxx.key defaultsite=xxx.xxxx.xxx vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 sslproxy_options NO_SSLv2 sslproxy_cipher ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 It passes the entire test from our PCI (Payment Card Industry) site certification scans, the options and ciphers are set both on the https_port line and on individual lines, not sure if both or only one are required. Thanks, Dean Weimer Network Administrator Orscheln Management Co
