On 18/03/2014 3:09 a.m., Eliezer Croitoru wrote: > I am trying to understand the issue which you are writing about? > what are you talking about ssl client renegotition? > what would you like to achive? > If you can describe it from a user persepective I might be able to > understand a bit more. Eliezer, FYI: SSL v2 and older have protocol capability to re-negotiate the protocol version and ciphers being used. There is no user perspective exactly because it is a feature of the SSL handshake. It is also nowdays considered harmful for security and the latest SSL/TLS standards and BCP strongly deprecate its use. Amaury, It does depend on the OpenSSL version Squid is currently using for SSL operations because of which protocol is picked first determines whether it is available or not. But also on Squid version with a bug in 3.1 and earlier causing the default to be ON and makes it hard to disable. In Squid SSL options parameters in various places (http_port/https_port ssloptions=XX, cache_peer ... ssl-options=XX, and sslproxy_options XX) can be used to define an explicitly permitted set of OpenSSL options like renegotiation. Squid-3.2 and later default SSL options are set to have only the library default options enabled. The squid.conf setting is *additive* to the library options, but where you can "add" a NO_* option to disable if the default for the library is enabled. Thus most example configs start with a "ALL" or "!ALL" option. I may be wrong here but believe the RPM thing is likely because RHEL developers are known to be quite free with back-porting features between OpenSSL versions and *may* have done so to forcibly disable the negotiation feature. Not something I would personally be confident about relying on though without a full investigation of the exact installed library. Which probably is not worth the time given that a Squid upgrade should be enough to disable regardless of library. Amos > > Eliezer > > On 17/03/2014 15:54, amaury wrote: >> I would like to know how >> >> it's possible to disable ssl client renegotiating. Reading in >> different >> maling list, i red that depends on openssl version, but >> for >> example I >> have an other server with the same openssl rpm with apache >> that It has >> renegotiation disable. >> Please, do you have any idea? >> Thank >> you >> Regards, >> >> >
