[squid-users] Question about my SSL test
Sebastien.Boulianne at cpu.ca
Sebastien.Boulianne at cpu.ca
Tue Feb 9 17:46:02 UTC 2016
Hi,
Thanks you very much for your answer.
It's very appreciated.
Can you give me a hint how to generate a dhparam key please ?
I saw this link.
Should it works ?
https://www.howtoforge.com/tutorial/how-to-protect-your-debian-and-ubuntu-server-against-the-logjam-attack/
or
## Create a DH parameter (key size is 1024 bits)
$ openssl dHParam -outform PEM -out dHParam.pem 1024
Which file does it uses as input ?
Thanks.
-----Message d'origine-----
De : dweimer [mailto:dweimer at dweimer.net] Envoyé : 9 février 2016 08:53 À : Sebastien Boulianne <Sebastien.Boulianne at cpu.ca> Cc : squid-users at lists.squid-cache.org Objet : Re: [squid-users] Question about my SSL test
On 2016-02-09 7:38 am, Sebastien.Boulianne at cpu.ca wrote:
> Hi,
>
> I did a SSL test and I have some questions.
>
> The SSL test notified me that POODLE (SSLv3), RC4 are enable or/and
> vulnerable.
>
> Is it a way to block that with Squid ?
>
> How can I disable thosed protocols ? Server side or Squid side ?
>
> Thanks for your answer guys.
>
> Sébastien
Adjust your https_port line, adding options=NO_SSLv3 will remove poodle vulnerability, and adding !RC4 to the ciphers= will fix the RC4 message.
Also, just an FYI, I have this setup on ours, which passed PCI compliance scan as of last run.
options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
dhparams=/usr/local/etc/squid/dh.param \
cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4
See here <https://www.openssl.org/docs/manmaster/apps/dhparam.html> for info on creating a dh.param file.
See here <http://www.squid-cache.org/Doc/config/https_port/> for more info on the https_port line options.
--
Thanks,
Dean E. Weimer
http://www.dweimer.net/
More information about the squid-users
mailing list