[squid-users] Question about squid-3.5-13849.patch

dweimer dweimer at dweimer.net
Tue Jul 7 13:37:36 UTC 2015


I just updated to Squid 3.5.6 and after running QualSYS SSL Labs test it 
still lists my server as supporting Secure Client-Initiated 
Renegotiation and potentially being vulnerable to CVE-2009-3555 which 
the patch 
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13849.patch> 
included in the 3.5.6 change list, is described as hardening against. Is 
there an option I need to add to the https_port setting in my squid.conf 
file to correctly make use of this?

Currently running with the following options specified.

   options=NO_SSLv2:NO_SSLv3:CIPHER_SERVER_PREFERENCE \
   cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \

System is Running on FreeBSD 10.1-RELEASE-p14, using OpenSSL included in 
base FreeBSD.

-- 
Thanks,
    Dean E. Weimer
    http://www.dweimer.net/


More information about the squid-users mailing list