On 12/04/2015 10:11 a.m., mattatrmc wrote: > I've been troubleshoot a site that I haven't been able to load using the > squid proxy. Based on the information provided I was able to determine it > was an issue with the cipher that the proxy was trying to use. > > When I add sslproxy_cipher RCA-MD5 it allows the site to open. RCA ? do you mean RC4 ? > > Now my concern is that since this isn't a secure encryption option I would > only like to make it available for the one site, however I can't seem to > figure out how to do it with acl rules. Is it possible to do, or do I have > to leave it open for everyone? No its not possible. And no you should be very, very careful about enabling it at all. RC4 requires a minimum 2048-bit key to have any amount of security these days (lesser key sizes can be cracked in near realtime), and even then it requires connections to be completed/closed relatively quickly before attacker gets enough info to decipher the keys. The either your end or the remote site really, really needs an upgrade to TLSv1.2 if that is the only mutually supported cipher. Now that RFC7465 prohibits RC4 usage entirely you will find a growing number of software not supporting it at all. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
