On 8/05/2015 10:46 p.m., Jakob Curdes wrote: > Hello all, I have configured squid 3.3.8 (CentOS 7 rpm) as an SSL > reverse proxy which works fine. However, I would like to make it as > secure as possible. The SSLLabs test showed > "Secure Client-Initiated Renegotiation *Supported* *DoS DANGER* (more > info > <https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks?_ga=1.161215733.973769323.1423134297>)" > > > I found an old thread here where it was suggested it depends on the > default of the OpenSSL library installed and that on compiling squid, > you can disable this option by specifying SSL_OP_ALL=0. However I would > like to stick to the RPM if possible. Very old thread. Your version of Squid should already contain the relevant change that would have caused. > Is there a way to disable this via a configuration option? I tried to > pass options=!ALL in the config but then no SSL conection is possible as > the peers do not find any common cipher.... Er, yes. You have to follow !ALL with the explicit ':' or ',' separated list of things which you do want to work. The real answer though is to use an up to date OpenSSL version. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
