[squid-users] RC4-MD5 cipher is always enabled?

Amos Jeffries squid3 at treenet.co.nz
Mon Sep 4 12:07:54 UTC 2017


On 04/09/17 20:36, chiasa.men wrote:
> "RC4-MD5" seems to be always enabled. Is there a way to prohibit RC4-MD5?
> 
> 
> 
> squid.conf:
> https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/
> example/key.pem

Above line configures the what Squid listening port parameters are. 
There are no cipher restrictions listed, so any cipher the library 
configuration allows is accepted on client->Squid connections.



> sslproxy_version 6
> sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET
> sslproxy_cipher ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5
> 

These lines configure what Squid uses on its outbound server 
connections. Those connections (only) are restricted by !RC4:!MD5.


Is the problem obvious now?


To make the Squid listening port reject RC4 or MD5 you need to add an 
ssloptions= or sslcipher= parameter to the port line. Its syntax is the 
same as the values on the sslproxy_* lines.


PS;
  To make other services on the machine gain these same TLS protections 
you should find and alter the library config file instead. OpenSSL's 
libssl is a bit unusual, despite being a library it has its own 
system-wide config file just like applications.

The squid.conf should only contain things which are different from your 
machines basic security profile.


HTH
Amos


More information about the squid-users mailing list