[squid-users] Question about my SSL test

Yuri Voinov yvoinov at gmail.com
Tue Feb 9 13:54:30 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Also:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit?#Hardening

09.02.16 19:52, dweimer пишет:
> On 2016-02-09 7:38 am, Sebastien.Boulianne at cpu.ca wrote:
>
>> Hi,
>>
>> I did a SSL test and I have some questions.
>>
>> The SSL test notified me that POODLE (SSLv3), RC4 are enable or/and
vulnerable.
>>
>> Is it a way to block that with Squid ?
>>
>> How can I disable thosed protocols ? Server side or Squid side ?
>>
>> Thanks for your answer guys.
>>
>> Sébastien
>
> Adjust your https_port line, adding options=NO_SSLv3 will remove
poodle vulnerability, and adding !RC4 to the ciphers= will fix the RC4
message.
>
> Also, just an FYI, I have this setup on ours, which passed PCI
compliance scan as of last run.
>
>
>   options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
>   dhparams=/usr/local/etc/squid/dh.param \
>   cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4
>
> See here <https://www.openssl.org/docs/manmaster/apps/dhparam.html>
for info on creating a dh.param file.
>
> See here <http://www.squid-cache.org/Doc/config/https_port/> for more
info on the https_port line options.
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWue+WAAoJENNXIZxhPexG+FQH/iGodwOAu3DDCjEnWlFlmEAc
sAiMRAafF0Zp2sPSge/EfwzkfmW4AWt1LR0vPYx1vZCG7MJaAPUuw7UfpkCLA/nb
Zjz6RTYWohU+4lwLNBT2ZOy+Zytfws/KxPJ2Zk5/hGvsAy1OnmAT5UaElCUhxMkV
iBEURXZ8nWw6G5HFpLenRW5MdGDwqk3iuyXZ0CBsAWRAYdyfYNSU+2lc02ghp6da
EldSvPV4i9+9OXyy/NXGaCnOPunTRN5BbKoGQTPAmGDuA3WDeMRsap8/ifVYVmUH
zgLSaFKz6imFGKz3wCZoITczCggevhxSwjjNpGuicN3WGe1ZjiPXideHWWiJKn0=
=UipT
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160209/171dcf77/attachment.key>


More information about the squid-users mailing list