[squid-users] Squid cache questions
Amos Jeffries
squid3 at treenet.co.nz
Sun Apr 7 03:09:55 UTC 2024
On 6/04/24 11:34, Jonathan Lee wrote:
> if (empty($settings['sslproxy_compatibility_mode']) ||
> ($settings['sslproxy_compatibility_mode'] == 'modern')) {
> // Modern cipher suites
> $sslproxy_cipher =
> "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";
> $sslproxy_options .= ",NO_TLSv1";
> } else {
> $sslproxy_cipher =
> "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
> }
>
> Should the RC4 be removed or allowed?
>
> https://github.com/pfsense/FreeBSD-ports/pull/1365
> <https://github.com/pfsense/FreeBSD-ports/pull/1365>
>
AFAIK it should be removed. What I was intending to point out was that
its removal via "!RC4" is likely making the prior "EECDH+aRSA+RC4"
addition pointless. Sorry if that was not clear.
If you check the TLS handshake and find Squid is working fine without
advertising "EECDH+aRSA+RC4" it would be a bit simpler/easier to read
the config by removing that cipher and just relying on the "!RC4".
HTH
Amos
More information about the squid-users
mailing list