[squid-users] RC4-MD5 cipher is always enabled?

chiasa.men chiasa.men at web.de
Mon Sep 4 08:36:41 UTC 2017

"RC4-MD5" seems to be always enabled. Is there a way to prohibit RC4-MD5?

https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/
sslproxy_version 6
sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET
sslproxy_cipher ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5

squid -f /tmp/s.conf -N -d debug

SSLScan reports RC4-MD5 is accepted:

sslscan --no-failed localhost:3128
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  SEED-SHA
    Accepted  TLSv1  128 bits  CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  112 bits  DES-CBC3-SHA

Connection with RC4-MD5 is successful:
openssl s_client -connect localhost:3128 -cipher RC4-MD5
New, TLSv1/SSLv3, Cipher is RC4-MD5
    Cipher    : RC4-MD5

Connection with rejected ciphers is not successful:

openssl s_client -connect localhost:3128 -cipher ECDHE-RSA-NULL-SHA
140016624731800:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert 
handshake failure:s23_clnt.c:769:

New, (NONE), Cipher is (NONE)
    Cipher    : 0000

More information about the squid-users mailing list