On 10/08/2016 6:49 p.m., Frosch Martin wrote: > Hello, > > I hope I am right here. > > I use Squid Version 3.5.20 as reverse Proxy for Outlook (2010) > Anywhere and OWA. The problem is that I cannot transfer Files bigger > than 2MB since the Microsoft Update > https://technet.microsoft.com/de-de/library/security/3042058. This > Update brings new Cipher Versions to IIS. Now I want to use older > Cipher Sites but the following line of Squid config is not working > 100%. Why do you want to force bad security when better is available? > > cache_peer X.X.X.X parent 443 0 ssl no-query originserver > sslflags=DONT_VERIFY_PEER > ssloptions=NO_SSLv2:NO_SSLv3:ALL:SINGLE_DH_USE:SINGLE_ECDH_USE:NO_TICKET Process those options (instructions) from left-to-right in your head. You should see that all things *enabled* at the end of it. That includes SSLv2 and SSLv3 being enabled. Hint: "ALL" force-enables everything the library is capable of. Restrictions can only follow after it in the options list. > sslcipher=AES256-SHA login=PASS name=exchangeServer standby=5 > > Squid as Client uses always 38 Cipher Suites, no matter what I define > as ssloptions or sslcipher. > cipher= is very rarely needed to be explicitly set. The library already enables good ciphers, and options can enable others manually if needed. Use of ALL in the options is often recommended by people without understanding what it does. It enables *everything* the library is capable of doing. Basically using it means the admin (or whoever wrote the tutorial) thinks they know security better than the experts who wrote the library. Then the admin/author goes and lists removal of the (often few) things they know are bad (at that point in time) - often missing out lots of custom hacks they dont know the library just enabled as instructed, or crypto things which are broken but long forgotten. The best thing to do is to start with neither cipher nor options configured at all and test what the library tries to offer. Use that test to add specific disable/enable options to the options= list. Repeat as necessary until what the library does meets your need. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
