[squid-users] Question about my SSL test
Yuri Voinov
yvoinov at gmail.com
Tue Feb 9 14:11:41 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
No. This is configuration only solution.
09.02.16 20:03, Sebastien.Boulianne at cpu.ca пишет:
> Hi,
>
> Thanks you very much for your complete answer.
> Do I need to recompile my Squid to disable those ciphers and protocols ?
>
> Thanks.
>
> -----Message d'origine-----
> De : dweimer [mailto:dweimer at dweimer.net]
> Envoyé : 9 février 2016 08:53
> À : Sebastien Boulianne <Sebastien.Boulianne at cpu.ca>
> Cc : squid-users at lists.squid-cache.org
> Objet : Re: [squid-users] Question about my SSL test
>
> On 2016-02-09 7:38 am, Sebastien.Boulianne at cpu.ca wrote:
>
>> Hi,
>>
>> I did a SSL test and I have some questions.
>>
>> The SSL test notified me that POODLE (SSLv3), RC4 are enable or/and
>> vulnerable.
>>
>> Is it a way to block that with Squid ?
>>
>> How can I disable thosed protocols ? Server side or Squid side ?
>>
>> Thanks for your answer guys.
>>
>> Sébastien
>
> Adjust your https_port line, adding options=NO_SSLv3 will remove
poodle vulnerability, and adding !RC4 to the ciphers= will fix the RC4
message.
>
> Also, just an FYI, I have this setup on ours, which passed PCI
compliance scan as of last run.
>
>
> options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
> dhparams=/usr/local/etc/squid/dh.param \
> cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4
>
> See here <https://www.openssl.org/docs/manmaster/apps/dhparam.html> for
> info on creating a dh.param file.
>
> See here <http://www.squid-cache.org/Doc/config/https_port/> for more
> info on the https_port line options.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWufOdAAoJENNXIZxhPexGgWIH/iyWM4YaNUrVZeUukdyGoYxf
v2m09j+445X6t8C/gGOEqSls53WVPWnHLb6Sim2jwOyENjIxmzjbdCCF4ynkif+d
fPURkHI13E/k7UonEwJaytqmxowAwpOJ5eitV0ZVaJHu5wfJKFA7XL1XQMtsztlv
bEO2UFqUURM4RVYO99rezBePji7IB+IaSu0Ez3YniYDnCqB8PysF8yiWUW8z4EJ7
tGBvpD6BuM7soNHY/pnfg8Cw6Yi1/xRptYwO+t6v4oBw/R3FpXxp/Irb6qO7Gt8d
cN/7eJn6n7he2STKIy/iHCwSYqY4ubjoigABVL0dXNQ96dwOxsIH3uUWbNGKtdM=
=zJxS
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160209/824738fe/attachment.key>
More information about the squid-users
mailing list