[squid-users] Reverse Proxy and SSL client side renegotiation
Amos Jeffries
squid3 at treenet.co.nz
Fri May 8 12:22:17 UTC 2015
On 8/05/2015 10:46 p.m., Jakob Curdes wrote:
> Hello all, I have configured squid 3.3.8 (CentOS 7 rpm) as an SSL
> reverse proxy which works fine. However, I would like to make it as
> secure as possible. The SSLLabs test showed
> "Secure Client-Initiated Renegotiation *Supported* *DoS DANGER* (more
> info
> <https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks?_ga=1.161215733.973769323.1423134297>)"
>
>
> I found an old thread here where it was suggested it depends on the
> default of the OpenSSL library installed and that on compiling squid,
> you can disable this option by specifying SSL_OP_ALL=0. However I would
> like to stick to the RPM if possible.
Very old thread. Your version of Squid should already contain the
relevant change that would have caused.
> Is there a way to disable this via a configuration option? I tried to
> pass options=!ALL in the config but then no SSL conection is possible as
> the peers do not find any common cipher....
Er, yes. You have to follow !ALL with the explicit ':' or ',' separated
list of things which you do want to work.
The real answer though is to use an up to date OpenSSL version.
Amos
More information about the squid-users
mailing list