Search squid archive

Re: Question about my SSL test

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Thanks you very much for your complete answer.
Do I need to recompile my Squid to disable those ciphers and protocols ?

Thanks.

-----Message d'origine-----
De : dweimer [mailto:dweimer@xxxxxxxxxxx] 
Envoyé : 9 février 2016 08:53
À : Sebastien Boulianne <Sebastien.Boulianne@xxxxxx>
Cc : squid-users@xxxxxxxxxxxxxxxxxxxxx
Objet : Re:  Question about my SSL test

On 2016-02-09 7:38 am, Sebastien.Boulianne@xxxxxx wrote:

> Hi,
> 
> I did a SSL test and I have some questions.
> 
> The SSL test notified me that POODLE (SSLv3), RC4 are enable or/and 
> vulnerable.
> 
> Is it a way to block that with Squid ?
> 
> How can I disable thosed protocols ? Server side or Squid side ?
> 
> Thanks for your answer guys.
> 
> Sébastien

Adjust your https_port line, adding options=NO_SSLv3 will remove poodle vulnerability, and adding !RC4 to the ciphers= will fix the RC4 message.

Also, just an FYI, I have this setup on ours, which passed PCI compliance scan as of last run.


   options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
   dhparams=/usr/local/etc/squid/dh.param \
   cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4

See here <https://www.openssl.org/docs/manmaster/apps/dhparam.html> for 
info on creating a dh.param file.

See here <http://www.squid-cache.org/Doc/config/https_port/> for more 
info on the https_port line options.


-- 
Thanks,
    Dean E. Weimer
    http://www.dweimer.net/
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux