On 3/02/2017 2:09 a.m., Vieri wrote: > Hi, > > I'm running Squid 4 beta. > > # squid -v > Squid Cache: Version 4.0.17-20170122-r14968 > > I tested the following where Squid is listening on port 443 in accel mode. > > # echo "R" | openssl s_client -connect 192.168.101.2:443 2>&1 3>&1 | grep RENEGOTIATING > RENEGOTIATING > > How can I disable client renegotiation? > For what reason is complete disable needed? Renegotiating to an insecure version or cipher set is an issue to be fixed by configuring tls-min-version=1.Y and tls-options= disabling unwanted ciphers etc. The potential DoS related to renegotiation is now prevented by rate limiting. The current generation of OpenSSL libraries (1.0+) all contain built-in protection from older forms of renegotiate that had other CVE issues. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
