Search squid archive

RE: RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for your support Dean, but I'm definitively a n00b :)
 I had compile many times (without error) with some ssl paths, but no result I got the same result on the scan...

I compiled openssl with no particular option (no make install)

./configure --localstatedir=/var --prefix=/usr --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid --exec-prefix=/usr --sysconfdir=/etc/squid --enable-x-accelerator-vary --with-default-user=proxy --enable-ssl --enable-follow-x-forwarded-for --enable-underscores  --enable-delay-pools --enable-cache-digests --enable-auth="basic" --enable-ecap  --with-openssl=/usr/src/openssl/openssl-1.0.0a/include/openssl

I'm lost ... I need to fix this issue before implementing this in my company ...

Cheers,

Sebastian

-----Message d'origine-----
De : Dean Weimer [mailto:dweimer@xxxxxxxxxxxx] 
Envoyà : lundi 15 novembre 2010 19:56
à : SÃbastien WENSKE; squid-users@xxxxxxxxxxxxxxx
Objet : RE:  RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported 

> -----Original Message-----
> From: SÃbastien WENSKE [mailto:sebastien@xxxxxxxxx]
> Sent: Monday, November 15, 2010 11:29 AM
> To: squid-users@xxxxxxxxxxxxxxx
> Subject:  RE: RE : [squid-users] [Squid 3.1.9] SSL 
> Reverse PROXY
> - Insecure Renegotiation Supported
> 
> Thanks Dean,
> 
> I have tried to compile with openssl 10.0.0a, but I get the same result...
> even with sslproxy_ directives.
> 
> Can you check your server on https://www.ssllabs.com/ssldb/index.html 
> just to see....
> 
> In my case:
> 
> browser <--- HTTPS ----> reverse proxy (squid 3.1.9) <---- HTTP -----> 
> OWA
> 2010 (IIS 7.5)
> 
> Maybe I miss something, how can I see which version of openssl is use 
> in squid ?
>

Here is the information I got back, minus the certificate section, the overall score was a 91.  When you compiled with openssl, make sure to use the --with-openssl=[DIR] to specify your path.  To make sure you hit the version you installed, and not the local system libraries as they may differ.  Though it would be best to update the local system libraries as well if possible.

Protocols
TLS 1.2 	No
TLS 1.1 	No
TLS 1.0 	Yes
SSL 3.0 	Yes
SSL 2.0+ Upgrade Support 	Yes
SSL 2.0 	No


Cipher Suites (sorted; server has no preference)
TLS_RSA_WITH_IDEA_CBC_SHA (0x7) 	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 	128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 	128
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 	128
TLS_RSA_WITH_SEED_CBC_SHA (0x96) 	128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 	168
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 	256


Miscellaneous
Test date 	Mon Nov 15 18:49:14 UTC 2010
Test duration 	102.430 seconds
Server signature 	Microsoft-IIS/6.0
Session resumption 	Yes
Renegotiation 	Secure Renegotiation Supported
Strict Transport Security 	No
TLS Version Tolerance 	0x0304: 0x301; 0x0399: 0x301; 0x0499: fail
PCI compliant 	Yes
FIPS-ready 	No

Thanks,
     Dean Weimer
     Network Administrator
     Orscheln Management Co

<<attachment: smime.p7s>>


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux