On 8/07/2015 1:37 a.m., dweimer wrote: > I just updated to Squid 3.5.6 and after running QualSYS SSL Labs test it > still lists my server as supporting Secure Client-Initiated > Renegotiation and potentially being vulnerable to CVE-2009-3555 which > the patch > <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13849.patch> > included in the 3.5.6 change list, is described as hardening against. Is > there an option I need to add to the https_port setting in my squid.conf > file to correctly make use of this? > > Currently running with the following options specified. > > options=NO_SSLv2:NO_SSLv3:CIPHER_SERVER_PREFERENCE \ > cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \ > > System is Running on FreeBSD 10.1-RELEASE-p14, using OpenSSL included in > base FreeBSD. > No, the change is automatic for all Squid built against an OpenSSL library that supports the library API option. If it is not working, then the library you are using probably does not support that option. AFAIK you need at least OpenSSL 0.9.8m for anything related to that vulnerability to be fixable. The latest 1.x libraries do not support the flag we use because they do the rejection internally without needing any help from Squid. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
