On Mon, 15 Nov 2010 21:33:40 +0000, SÃbastien WENSKE <sebastien@xxxxxxxxx> wrote: > Thanks for your support Dean, but I'm definitively a n00b :) > I had compile many times (without error) with some ssl paths, but no > result I got the same result on the scan... > > I compiled openssl with no particular option (no make install) > > ./configure --localstatedir=/var --prefix=/usr --includedir=/usr/include > --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid > --exec-prefix=/usr --sysconfdir=/etc/squid --enable-x-accelerator-vary > --with-default-user=proxy --enable-ssl --enable-follow-x-forwarded-for > --enable-underscores --enable-delay-pools --enable-cache-digests > --enable-auth="basic" --enable-ecap > --with-openssl=/usr/src/openssl/openssl-1.0.0a/include/openssl I think this should be --with-openssl=/usr/src/openssl/openssl-1.0.0a/ > > I'm lost ... I need to fix this issue before implementing this in my > company ... > > Cheers, > > Sebastian > > -----Message d'origine----- > De : Dean Weimer [mailto:dweimer@xxxxxxxxxxxx] > Envoyà : lundi 15 novembre 2010 19:56 > à : SÃbastien WENSKE; squid-users@xxxxxxxxxxxxxxx > Objet : RE: RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse > PROXY - Insecure Renegotiation Supported > >> -----Original Message----- >> From: SÃbastien WENSKE [mailto:sebastien@xxxxxxxxx] >> Sent: Monday, November 15, 2010 11:29 AM >> To: squid-users@xxxxxxxxxxxxxxx >> Subject: RE: RE : [squid-users] [Squid 3.1.9] SSL >> Reverse PROXY >> - Insecure Renegotiation Supported >> >> Thanks Dean, >> >> I have tried to compile with openssl 10.0.0a, but I get the same >> result... >> even with sslproxy_ directives. >> >> Can you check your server on https://www.ssllabs.com/ssldb/index.html >> just to see.... >> >> In my case: >> >> browser <--- HTTPS ----> reverse proxy (squid 3.1.9) <---- HTTP -----> >> OWA >> 2010 (IIS 7.5) >> >> Maybe I miss something, how can I see which version of openssl is use >> in squid ? >> > > Here is the information I got back, minus the certificate section, the > overall score was a 91. When you compiled with openssl, make sure to use > the --with-openssl=[DIR] to specify your path. To make sure you hit the > version you installed, and not the local system libraries as they may > differ. Though it would be best to update the local system libraries as > well if possible. > > Protocols > TLS 1.2 No > TLS 1.1 No > TLS 1.0 Yes > SSL 3.0 Yes > SSL 2.0+ Upgrade Support Yes > SSL 2.0 No > > > Cipher Suites (sorted; server has no preference) > TLS_RSA_WITH_IDEA_CBC_SHA (0x7) 128 > TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128 > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 128 > TLS_RSA_WITH_SEED_CBC_SHA (0x96) 128 > TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168 > TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 > > > Miscellaneous > Test date Mon Nov 15 18:49:14 UTC 2010 > Test duration 102.430 seconds > Server signature Microsoft-IIS/6.0 > Session resumption Yes > Renegotiation Secure Renegotiation Supported > Strict Transport Security No > TLS Version Tolerance 0x0304: 0x301; 0x0399: 0x301; 0x0499: fail > PCI compliant Yes > FIPS-ready No > > Thanks, > Dean Weimer > Network Administrator > Orscheln Management Co
