-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 17/10/2014 7:24 p.m., Alexander Samad wrote: > Hi > > I am trying to reconfig the ssl setup on a reverse proxy set > > https_port 2.7.3.1:443 accel > cert=/etc/httpd/conf.d/office.xyz.com.crt > key=/etc/httpd/conf.d/office.xyz.com.key > dhparams=/etc/httpd/conf.d/office.xyz.com.dhparam > defaultsite=office.yieldbroker.com options=NO_SSLv2,NO_SSLv3 > cipher=ALL:!SSLv2:!SSLv3@STRENGTH > > But I only get a limited list of ciphers, completely different > from openssl ciphers 'ALL:!SSLv2:!SSLv3@STRENGTH' > > in fact it doesn't seem to look at the cipher option at all There seems to be some FUD and confusion going around since POODLE was announced. In particular people mentioning a "cipher" called SSLv3. The cipher having problems is CBC. The SSLv3 is simply the SSL/TLS version where that cipher is mandatory to support. Lets be clear: cipher != SSL/TLS version The cipher being unusable now *also* makes the whole version unusable and dangerous. Just like SSLv2 some years ago when the last of its ciphers was broken, and TLSv1.0 will someday soon. The "options=NO_SSLv2,NO_SSLv3" that you have set is sufficient to close POODLE vulnerability. NP: Do make sure you have a Squid 3.2 or later, the older ones enabled some "default" options that are pretty bad these days. > > and pointers on what I am doing wrong > > right now I am left with https_port 2.7.3.1:443 accel > cert=/etc/httpd/conf.d/office.xyz.com.crt > key=/etc/httpd/conf.d/office.xyz.com.key > dhparams=/etc/httpd/conf.d/office.xyz.com.dhparam > defaultsite=office.yieldbroker.com options=NO_SSLv2,NO_SSLv3 > > but https://www.ssllabs.com/ssltest/ gives me an A- .. no PFS. That I'm afraid depends on your OpenSSL library. Some of them have PFS ciphers enabled by default, some you have to add options or ciphers to get it, some dont support at all. You do need dhparams= to enable them. But beyond that its all OpenSSL. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUQMNFAAoJELJo5wb/XPRj5QgH/2MHtjt/ZET3RjiwKfb2RL9x MIrL/vNxxDjzJn0fnrk5iXCOd5Z7rWKjD/SO4BndqnADJh2d6pQSCe2LDYyn4/ZQ D+giIfRJyYJdPAVpR50PsY/zNqSLWCW8g3/PDCxseRKNayyoOiOaUvU7fBkM4xZD bdTz5YoHeGXzzeRItLcaWsFN8JZWb9yI34AHJ7AzpugMz68uV/pW9UHciWrpOuj1 hvnO3v/oE7Bu+KcTO5d36Fjmyrk00a60YcEMglZSkc7V80pigNsXA0TdKP0z8lE7 M+2kACtIIuXrzszGyTOMIWRQsxuqYxozVVa3+pwyIUn0QQpqQMJtRN7gPqvkxnM= =axnA -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users