[squid-users] Specify sslproxy_cipher for one site
Amos Jeffries
squid3 at treenet.co.nz
Sun Apr 12 03:31:41 UTC 2015
On 12/04/2015 10:11 a.m., mattatrmc wrote:
> I've been troubleshoot a site that I haven't been able to load using the
> squid proxy. Based on the information provided I was able to determine it
> was an issue with the cipher that the proxy was trying to use.
>
> When I add sslproxy_cipher RCA-MD5 it allows the site to open.
RCA ? do you mean RC4 ?
>
> Now my concern is that since this isn't a secure encryption option I would
> only like to make it available for the one site, however I can't seem to
> figure out how to do it with acl rules. Is it possible to do, or do I have
> to leave it open for everyone?
No its not possible. And no you should be very, very careful about
enabling it at all. RC4 requires a minimum 2048-bit key to have any
amount of security these days (lesser key sizes can be cracked in near
realtime), and even then it requires connections to be completed/closed
relatively quickly before attacker gets enough info to decipher the keys.
The either your end or the remote site really, really needs an upgrade
to TLSv1.2 if that is the only mutually supported cipher. Now that
RFC7465 prohibits RC4 usage entirely you will find a growing number of
software not supporting it at all.
Amos
More information about the squid-users
mailing list