On 6/04/24 11:34, Jonathan Lee wrote:
if (empty($settings['sslproxy_compatibility_mode']) ||
($settings['sslproxy_compatibility_mode'] == 'modern')) {
// Modern cipher suites
$sslproxy_cipher =
"EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";
$sslproxy_options .= ",NO_TLSv1";
} else {
$sslproxy_cipher =
"EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
}
Should the RC4 be removed or allowed?
https://github.com/pfsense/FreeBSD-ports/pull/1365
<https://github.com/pfsense/FreeBSD-ports/pull/1365>
AFAIK it should be removed. What I was intending to point out was that
its removal via "!RC4" is likely making the prior "EECDH+aRSA+RC4"
addition pointless. Sorry if that was not clear.
If you check the TLS handshake and find Squid is working fine without
advertising "EECDH+aRSA+RC4" it would be a bit simpler/easier to read
the config by removing that cipher and just relying on the "!RC4".
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users