[squid-users] Squid cache questions

Amos Jeffries squid3 at treenet.co.nz
Sun Apr 7 03:09:55 UTC 2024


On 6/04/24 11:34, Jonathan Lee wrote:
> if (empty($settings['sslproxy_compatibility_mode']) || 
> ($settings['sslproxy_compatibility_mode'] == 'modern')) {
> // Modern cipher suites
> $sslproxy_cipher = 
> "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";
> $sslproxy_options .= ",NO_TLSv1";
> } else {
> $sslproxy_cipher = 
> "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
> }
> 
> Should the RC4  be removed or allowed?
> 
> https://github.com/pfsense/FreeBSD-ports/pull/1365 
> <https://github.com/pfsense/FreeBSD-ports/pull/1365>
> 


AFAIK it should be removed. What I was intending to point out was that 
its removal via "!RC4" is likely making the prior "EECDH+aRSA+RC4" 
addition pointless. Sorry if that was not clear.

If you check the TLS handshake and find Squid is working fine without 
advertising "EECDH+aRSA+RC4" it would be a bit simpler/easier to read 
the config by removing that cipher and just relying on the "!RC4".


HTH
Amos


More information about the squid-users mailing list