On 04/09/17 20:36, chiasa.men wrote:
"RC4-MD5" seems to be always enabled. Is there a way to prohibit RC4-MD5?
squid.conf:
https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/
example/key.pem
Above line configures the what Squid listening port parameters are.
There are no cipher restrictions listed, so any cipher the library
configuration allows is accepted on client->Squid connections.
sslproxy_version 6
sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET
sslproxy_cipher ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5
These lines configure what Squid uses on its outbound server
connections. Those connections (only) are restricted by !RC4:!MD5.
Is the problem obvious now?
To make the Squid listening port reject RC4 or MD5 you need to add an
ssloptions= or sslcipher= parameter to the port line. Its syntax is the
same as the values on the sslproxy_* lines.
PS;
To make other services on the machine gain these same TLS protections
you should find and alter the library config file instead. OpenSSL's
libssl is a bit unusual, despite being a library it has its own
system-wide config file just like applications.
The squid.conf should only contain things which are different from your
machines basic security profile.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
