Hi Thanks for clearing that up. so when i do a openssl ciphers and select the ciphers i want including the PFS enables oned, i take the list and try and use it in ciphers= and the list seems to be dissregarded and only 1 cipher is available. atleast from online checking and with nmap. I have nossl2 and nossl3, that covers me for most things apart from PFS. I am not ready to upgrade to a non RHEL/CEntos version as that has other implications ! But in the end if I must I am wondering if thats a known bug or I am configuring it wrongly this is the cipher list I have tried as well openssl ciphers 'ALL:!SSLv2:!SSLv3:@STRENGTH' ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256 ldd points to /usr/lib64/libssl.so.10 and openssl-1.0.1e-30.el6_5.2.x86_64 Alex On 17 October 2014 18:20, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 17/10/2014 7:24 p.m., Alexander Samad wrote: >> Hi >> >> I am trying to reconfig the ssl setup on a reverse proxy set >> >> https_port 2.7.3.1:443 accel >> cert=/etc/httpd/conf.d/office.xyz.com.crt >> key=/etc/httpd/conf.d/office.xyz.com.key >> dhparams=/etc/httpd/conf.d/office.xyz.com.dhparam >> defaultsite=office.yieldbroker.com options=NO_SSLv2,NO_SSLv3 >> cipher=ALL:!SSLv2:!SSLv3@STRENGTH >> >> But I only get a limited list of ciphers, completely different >> from openssl ciphers 'ALL:!SSLv2:!SSLv3@STRENGTH' >> >> in fact it doesn't seem to look at the cipher option at all > > There seems to be some FUD and confusion going around since POODLE was > announced. In particular people mentioning a "cipher" called SSLv3. > > The cipher having problems is CBC. The SSLv3 is simply the SSL/TLS > version where that cipher is mandatory to support. > > Lets be clear: cipher != SSL/TLS version > > The cipher being unusable now *also* makes the whole version unusable > and dangerous. Just like SSLv2 some years ago when the last of its > ciphers was broken, and TLSv1.0 will someday soon. > > > The "options=NO_SSLv2,NO_SSLv3" that you have set is sufficient to > close POODLE vulnerability. > > NP: Do make sure you have a Squid 3.2 or later, the older ones enabled > some "default" options that are pretty bad these days. > >> >> and pointers on what I am doing wrong >> >> right now I am left with https_port 2.7.3.1:443 accel >> cert=/etc/httpd/conf.d/office.xyz.com.crt >> key=/etc/httpd/conf.d/office.xyz.com.key >> dhparams=/etc/httpd/conf.d/office.xyz.com.dhparam >> defaultsite=office.yieldbroker.com options=NO_SSLv2,NO_SSLv3 >> >> but https://www.ssllabs.com/ssltest/ gives me an A- .. no PFS. > > That I'm afraid depends on your OpenSSL library. Some of them have PFS > ciphers enabled by default, some you have to add options or ciphers to > get it, some dont support at all. > > You do need dhparams= to enable them. But beyond that its all OpenSSL. > > Amos > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (MingW32) > > iQEcBAEBAgAGBQJUQMNFAAoJELJo5wb/XPRj5QgH/2MHtjt/ZET3RjiwKfb2RL9x > MIrL/vNxxDjzJn0fnrk5iXCOd5Z7rWKjD/SO4BndqnADJh2d6pQSCe2LDYyn4/ZQ > D+giIfRJyYJdPAVpR50PsY/zNqSLWCW8g3/PDCxseRKNayyoOiOaUvU7fBkM4xZD > bdTz5YoHeGXzzeRItLcaWsFN8JZWb9yI34AHJ7AzpugMz68uV/pW9UHciWrpOuj1 > hvnO3v/oE7Bu+KcTO5d36Fjmyrk00a60YcEMglZSkc7V80pigNsXA0TdKP0z8lE7 > M+2kACtIIuXrzszGyTOMIWRQsxuqYxozVVa3+pwyIUn0QQpqQMJtRN7gPqvkxnM= > =axnA > -----END PGP SIGNATURE----- > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
