[squid-users] Question about my SSL test
Yuri Voinov
yvoinov at gmail.com
Tue Feb 9 18:27:46 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Just for example:
openssl dhparam -outform PEM -out dhparam.pem 2048
09.02.16 23:46, Sebastien.Boulianne at cpu.ca пишет:
> Hi,
>
> Thanks you very much for your answer.
> It's very appreciated.
>
> Can you give me a hint how to generate a dhparam key please ?
>
> I saw this link.
> Should it works ?
>
>
https://www.howtoforge.com/tutorial/how-to-protect-your-debian-and-ubuntu-server-against-the-logjam-attack/
> or
> ## Create a DH parameter (key size is 1024 bits)
> $ openssl dHParam -outform PEM -out dHParam.pem 1024
>
> Which file does it uses as input ?
>
> Thanks.
>
> -----Message d'origine-----
> De : dweimer [mailto:dweimer at dweimer.net] Envoyé : 9 février 2016
08:53 À : Sebastien Boulianne <Sebastien.Boulianne at cpu.ca> Cc :
squid-users at lists.squid-cache.org Objet : Re: [squid-users] Question
about my SSL test
>
> On 2016-02-09 7:38 am, Sebastien.Boulianne at cpu.ca wrote:
>
>> Hi,
>>
>> I did a SSL test and I have some questions.
>>
>> The SSL test notified me that POODLE (SSLv3), RC4 are enable or/and
>> vulnerable.
>>
>> Is it a way to block that with Squid ?
>>
>> How can I disable thosed protocols ? Server side or Squid side ?
>>
>> Thanks for your answer guys.
>>
>> Sébastien
>
> Adjust your https_port line, adding options=NO_SSLv3 will remove
poodle vulnerability, and adding !RC4 to the ciphers= will fix the RC4
message.
>
> Also, just an FYI, I have this setup on ours, which passed PCI
compliance scan as of last run.
>
>
> options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
> dhparams=/usr/local/etc/squid/dh.param \
> cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4
>
> See here <https://www.openssl.org/docs/manmaster/apps/dhparam.html>
for info on creating a dh.param file.
>
> See here <http://www.squid-cache.org/Doc/config/https_port/> for more
info on the https_port line options.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWui+iAAoJENNXIZxhPexGkV8IAMu+a0NPC20KfGLfw2cWbF+a
5d97idY5mWcZRyaxydavgRf66C0mBTVe5dlGSf1/w6rCpghraIAg2Yd/F4wEBxba
xOsxyqe3IZnq1tzbpN4bTk+MG04miIe8qTSYt1A3K75NXWSy6U9o6gsNA8HTbn88
AQpJkiJH4LHCeSTwkpSbgt1OxxPtxOapPIWojGRZYLPlxg6YSdkWW17Pai8vIz+x
j571bejHd24u/9zz4NmiwY/MrlHFDtOyE9WBE/xVjhVQz+xQ5zp0j+hVA1WD3Q2M
7tAD1TdECCQyLGyUy5mb18Pwk0ckad2DQkHW5mrlrCuuA49krtJMDQrceiAf0as=
=+H2B
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160210/55bda5fe/attachment.key>
More information about the squid-users
mailing list