Hi, Thanks you very much for your answer. It's very appreciated. Can you give me a hint how to generate a dhparam key please ? I saw this link. Should it works ? https://www.howtoforge.com/tutorial/how-to-protect-your-debian-and-ubuntu-server-against-the-logjam-attack/ or ## Create a DH parameter (key size is 1024 bits) $ openssl dHParam -outform PEM -out dHParam.pem 1024 Which file does it uses as input ? Thanks. -----Message d'origine----- De : dweimer [mailto:dweimer@xxxxxxxxxxx] Envoyé : 9 février 2016 08:53 À : Sebastien Boulianne <Sebastien.Boulianne@xxxxxx> Cc : squid-users@xxxxxxxxxxxxxxxxxxxxx Objet : Re: Question about my SSL test On 2016-02-09 7:38 am, Sebastien.Boulianne@xxxxxx wrote: > Hi, > > I did a SSL test and I have some questions. > > The SSL test notified me that POODLE (SSLv3), RC4 are enable or/and > vulnerable. > > Is it a way to block that with Squid ? > > How can I disable thosed protocols ? Server side or Squid side ? > > Thanks for your answer guys. > > Sébastien Adjust your https_port line, adding options=NO_SSLv3 will remove poodle vulnerability, and adding !RC4 to the ciphers= will fix the RC4 message. Also, just an FYI, I have this setup on ours, which passed PCI compliance scan as of last run. options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \ dhparams=/usr/local/etc/squid/dh.param \ cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4 See here <https://www.openssl.org/docs/manmaster/apps/dhparam.html> for info on creating a dh.param file. See here <http://www.squid-cache.org/Doc/config/https_port/> for more info on the https_port line options. -- Thanks, Dean E. Weimer http://www.dweimer.net/ _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
