On 14/06/18 09:20, Julian Perconti wrote:
>
> #####
> Here a example:
> #####
>
> openssl s_client -connect 31.13.94.54:443
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 290 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1528924452
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
>
The above says:
* do not encrypt this content
* disable all security checks
* disable all ability to becomes secure later
* send everything in plain-text format.
This is the "NULL" cipher (0000) which is forbidden in your
sslproxy_cipher config by "!aNULL:!eNULL:!LOW".
The existence of this cipher is one reason why a) TLS does not
necessarily make things secure, and b) making the proxy always "just
work" is not necessarily a good idea.
... so you now have the choice:
Do you *actually* want security?
if so let the proxy block the traffic.
OR,
Do you want users to have same experience as no-proxy gives?
if so remove the cipher etc restrictions you have improving security
at the proxy.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
