[squid-users] Reverse Proxy and SSL client side renegotiation
Jakob Curdes
jc at info-systems.de
Fri May 8 10:46:10 UTC 2015
Hello all, I have configured squid 3.3.8 (CentOS 7 rpm) as an SSL
reverse proxy which works fine. However, I would like to make it as
secure as possible. The SSLLabs test showed
"Secure Client-Initiated Renegotiation *Supported* *DoS DANGER* (more
info
<https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks?_ga=1.161215733.973769323.1423134297>)"
I found an old thread here where it was suggested it depends on the
default of the OpenSSL library installed and that on compiling squid,
you can disable this option by specifying SSL_OP_ALL=0. However I would
like to stick to the RPM if possible.
Is there a way to disable this via a configuration option? I tried to
pass options=!ALL in the config but then no SSL conection is possible as
the peers do not find any common cipher....
I have put together everything else to get a secure SSL connection which
also gets an A grade in the qualys SSL test. I will post it here when it
is done and I can also will put it on the squid wiki.
Best regards,
Jakob Curdes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150508/e19cc6e3/attachment.html>
More information about the squid-users
mailing list