[squid-users] Question about squid-3.5-13849.patch
Amos Jeffries
squid3 at treenet.co.nz
Tue Jul 7 14:05:45 UTC 2015
On 8/07/2015 1:37 a.m., dweimer wrote:
> I just updated to Squid 3.5.6 and after running QualSYS SSL Labs test it
> still lists my server as supporting Secure Client-Initiated
> Renegotiation and potentially being vulnerable to CVE-2009-3555 which
> the patch
> <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13849.patch>
> included in the 3.5.6 change list, is described as hardening against. Is
> there an option I need to add to the https_port setting in my squid.conf
> file to correctly make use of this?
>
> Currently running with the following options specified.
>
> options=NO_SSLv2:NO_SSLv3:CIPHER_SERVER_PREFERENCE \
> cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \
>
> System is Running on FreeBSD 10.1-RELEASE-p14, using OpenSSL included in
> base FreeBSD.
>
No, the change is automatic for all Squid built against an OpenSSL
library that supports the library API option. If it is not working, then
the library you are using probably does not support that option.
AFAIK you need at least OpenSSL 0.9.8m for anything related to that
vulnerability to be fixable. The latest 1.x libraries do not support the
flag we use because they do the rejection internally without needing any
help from Squid.
Amos
More information about the squid-users
mailing list