-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Also: http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit?#Hardening 09.02.16 19:52, dweimer пишет: > On 2016-02-09 7:38 am, Sebastien.Boulianne@xxxxxx wrote: > >> Hi, >> >> I did a SSL test and I have some questions. >> >> The SSL test notified me that POODLE (SSLv3), RC4 are enable or/and vulnerable. >> >> Is it a way to block that with Squid ? >> >> How can I disable thosed protocols ? Server side or Squid side ? >> >> Thanks for your answer guys. >> >> Sébastien > > Adjust your https_port line, adding options=NO_SSLv3 will remove poodle vulnerability, and adding !RC4 to the ciphers= will fix the RC4 message. > > Also, just an FYI, I have this setup on ours, which passed PCI compliance scan as of last run. > > > options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \ > dhparams=/usr/local/etc/squid/dh.param \ > cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4 > > See here <https://www.openssl.org/docs/manmaster/apps/dhparam.html> for info on creating a dh.param file. > > See here <http://www.squid-cache.org/Doc/config/https_port/> for more info on the https_port line options. > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWue+WAAoJENNXIZxhPexG+FQH/iGodwOAu3DDCjEnWlFlmEAc sAiMRAafF0Zp2sPSge/EfwzkfmW4AWt1LR0vPYx1vZCG7MJaAPUuw7UfpkCLA/nb Zjz6RTYWohU+4lwLNBT2ZOy+Zytfws/KxPJ2Zk5/hGvsAy1OnmAT5UaElCUhxMkV iBEURXZ8nWw6G5HFpLenRW5MdGDwqk3iuyXZ0CBsAWRAYdyfYNSU+2lc02ghp6da EldSvPV4i9+9OXyy/NXGaCnOPunTRN5BbKoGQTPAmGDuA3WDeMRsap8/ifVYVmUH zgLSaFKz6imFGKz3wCZoITczCggevhxSwjjNpGuicN3WGe1ZjiPXideHWWiJKn0= =UipT -----END PGP SIGNATURE-----
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
