[squid-users] Question about my SSL test
Yuri Voinov
yvoinov at gmail.com
Tue Feb 9 18:30:45 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Oooooops......
09.02.16 23:46, Sebastien.Boulianne at cpu.ca пишет:
> Hi,
>
> Thanks you very much for your answer.
> It's very appreciated.
>
> Can you give me a hint how to generate a dhparam key please ?
>
> I saw this link.
> Should it works ?
>
>
https://www.howtoforge.com/tutorial/how-to-protect-your-debian-and-ubuntu-server-against-the-logjam-attack/
> or
> ## Create a DH parameter (key size is 1024 bits)
> $ openssl dHParam -outform PEM -out dHParam.pem 1024
>
> Which file does it uses as input ?
It has no input. DH parameters will be generated by openssl. Also 1024
may be too small value. Use 2048, but remember: often DH generation,
and, especially, they screening, can take much time.
>
>
> Thanks.
>
> -----Message d'origine-----
> De : dweimer [mailto:dweimer at dweimer.net] Envoyé : 9 février 2016
08:53 À : Sebastien Boulianne <Sebastien.Boulianne at cpu.ca> Cc :
squid-users at lists.squid-cache.org Objet : Re: [squid-users] Question
about my SSL test
>
> On 2016-02-09 7:38 am, Sebastien.Boulianne at cpu.ca wrote:
>
>> Hi,
>>
>> I did a SSL test and I have some questions.
>>
>> The SSL test notified me that POODLE (SSLv3), RC4 are enable or/and
>> vulnerable.
>>
>> Is it a way to block that with Squid ?
>>
>> How can I disable thosed protocols ? Server side or Squid side ?
>>
>> Thanks for your answer guys.
>>
>> Sébastien
>
> Adjust your https_port line, adding options=NO_SSLv3 will remove
poodle vulnerability, and adding !RC4 to the ciphers= will fix the RC4
message.
>
> Also, just an FYI, I have this setup on ours, which passed PCI
compliance scan as of last run.
>
>
> options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
> dhparams=/usr/local/etc/squid/dh.param \
> cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4
>
> See here <https://www.openssl.org/docs/manmaster/apps/dhparam.html>
for info on creating a dh.param file.
>
> See here <http://www.squid-cache.org/Doc/config/https_port/> for more
info on the https_port line options.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWujBUAAoJENNXIZxhPexGUlIH/1KlK5+NXMo1pB16h7LwrQAZ
NF1/iJfBnJOjucXF5cQdhwGT/il+DeRDvbhFo4aai47zzHxqC7t242QnWD+L5vzW
g3GTec5F1VlvMkDzK2I5eY0vuty0pQEkQKkKde/s6pFdRqRvirey0HxN6TF68OlV
Tgk+J/Y3ZW4xYOKYzVa2JiDwtARauF9MwN6J2JJDmaEEptMpnAL1Ad9TxDW1JClp
qTzsA3a7j9hrcsY9eXaA+7tvh+hrwqfrDVS5Vp0Q20dfswN9fcZuAPssaG4lzM21
W81c3hjKymZGKBta4R1pFj3H+zcNrfTuIF/ib3cOQnw7AE1XGQLg2uVwHU+5M8E=
=vyMz
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160210/f2ac7c3b/attachment-0001.key>
More information about the squid-users
mailing list