[squid-users] RC4-MD5 cipher is always enabled?
chiasa.men
chiasa.men at web.de
Mon Sep 4 08:36:41 UTC 2017
"RC4-MD5" seems to be always enabled. Is there a way to prohibit RC4-MD5?
squid.conf:
https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/
example/key.pem
sslproxy_version 6
sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET
sslproxy_cipher ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5
squid -f /tmp/s.conf -N -d debug
SSLScan reports RC4-MD5 is accepted:
sslscan --no-failed localhost:3128
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits SEED-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 112 bits DES-CBC3-SHA
Connection with RC4-MD5 is successful:
openssl s_client -connect localhost:3128 -cipher RC4-MD5
New, TLSv1/SSLv3, Cipher is RC4-MD5
Cipher : RC4-MD5
Connection with rejected ciphers is not successful:
openssl s_client -connect localhost:3128 -cipher ECDHE-RSA-NULL-SHA
140016624731800:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:769:
New, (NONE), Cipher is (NONE)
Cipher : 0000
More information about the squid-users
mailing list