Search squid archive

Re: Question about squid-3.5-13849.patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/07/2015 1:37 a.m., dweimer wrote:
> I just updated to Squid 3.5.6 and after running QualSYS SSL Labs test it
> still lists my server as supporting Secure Client-Initiated
> Renegotiation and potentially being vulnerable to CVE-2009-3555 which
> the patch
> <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13849.patch>
> included in the 3.5.6 change list, is described as hardening against. Is
> there an option I need to add to the https_port setting in my squid.conf
> file to correctly make use of this?
> 
> Currently running with the following options specified.
> 
>   options=NO_SSLv2:NO_SSLv3:CIPHER_SERVER_PREFERENCE \
>   cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \
> 
> System is Running on FreeBSD 10.1-RELEASE-p14, using OpenSSL included in
> base FreeBSD.
> 

No, the change is automatic for all Squid built against an OpenSSL
library that supports the library API option. If it is not working, then
the library you are using probably does not support that option.

AFAIK you need at least OpenSSL 0.9.8m for anything related to that
vulnerability to be fixable. The latest 1.x libraries do not support the
flag we use because they do the rejection internally without needing any
help from Squid.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux