[squid-users] RC4-MD5 cipher is always enabled?
Amos Jeffries
squid3 at treenet.co.nz
Mon Sep 4 12:07:54 UTC 2017
On 04/09/17 20:36, chiasa.men wrote:
> "RC4-MD5" seems to be always enabled. Is there a way to prohibit RC4-MD5?
>
>
>
> squid.conf:
> https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/
> example/key.pem
Above line configures the what Squid listening port parameters are.
There are no cipher restrictions listed, so any cipher the library
configuration allows is accepted on client->Squid connections.
> sslproxy_version 6
> sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET
> sslproxy_cipher ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5
>
These lines configure what Squid uses on its outbound server
connections. Those connections (only) are restricted by !RC4:!MD5.
Is the problem obvious now?
To make the Squid listening port reject RC4 or MD5 you need to add an
ssloptions= or sslcipher= parameter to the port line. Its syntax is the
same as the values on the sslproxy_* lines.
PS;
To make other services on the machine gain these same TLS protections
you should find and alter the library config file instead. OpenSSL's
libssl is a bit unusual, despite being a library it has its own
system-wide config file just like applications.
The squid.conf should only contain things which are different from your
machines basic security profile.
HTH
Amos
More information about the squid-users
mailing list