Am Montag, 4. September 2017, 14:07:54 CEST schrieb Amos Jeffries: > On 04/09/17 20:36, chiasa.men wrote: > > "RC4-MD5" seems to be always enabled. Is there a way to prohibit RC4-MD5? > > > > > > > > squid.conf: > > https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem > > key=/ example/key.pem > > Above line configures the what Squid listening port parameters are. > There are no cipher restrictions listed, so any cipher the library > configuration allows is accepted on client->Squid connections. > > > sslproxy_version 6 > > sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET > > sslproxy_cipher ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5 > > These lines configure what Squid uses on its outbound server > connections. Those connections (only) are restricted by !RC4:!MD5. > > > Is the problem obvious now? > > > To make the Squid listening port reject RC4 or MD5 you need to add an > ssloptions= or sslcipher= parameter to the port line. Its syntax is the > same as the values on the sslproxy_* lines. > > > PS; > To make other services on the machine gain these same TLS protections > you should find and alter the library config file instead. OpenSSL's > libssl is a bit unusual, despite being a library it has its own > system-wide config file just like applications. > > The squid.conf should only contain things which are different from your > machines basic security profile. > > > HTH > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users Thanks, that was easy... but: That does not work: https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/ example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5 openssl s_client -connect localhost:3128 140048907216536:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769: Allowing RC4 and MD5 works: https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/ example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:RC4:MD5 openssl s_client -connect localhost:3128 Cipher : ECDH-ECDSA-RC4-SHA But openssl works without allowing RC4 and MD5: openssl s_server -cert /example/cert.pem -key /example/key.pem -cipher 'ECDHE- ECDSA-AES256-GCM-SHA384:!RC4:!MD5' openssl s_client -connect localhost:4433 Cipher : ECDHE-ECDSA-AES256-GCM-SHA384 So I guess the certificate and the openssl part should work. Maybe you could give another advice? btw, the used squid version: Squid Cache: Version 3.5.12 Service Name: squid Ubuntu linux configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=$ {prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/ info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/ squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency- tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack- protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions - fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '-- sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable- storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable- delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow- x-forwarded-for' '--enable-auth- basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth- digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth- ntlm=fake,smb_lm' '--enable-external-acl- helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--with-openssl' '--enable- ssl-crtd' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/ log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g - O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack- protector-strong -Wformat -Werror=format-security' _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
