[squid-users] RE : [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
Hello Amos and Dean, Thank you very much, I found a "workaround" in the same time you sent your openssl compil procedure In /usr/src/openssl/openssl-1.0.0a I have create a symlink lib -> /usr/local/ssl/lib64 lrwxrwxrwx 1 root src20 2010-11-16 16:43 lib -> /usr/local/ssl/lib64 and --with-openssl=/usr/src/openssl/openssl-1.0.0a Now, all is green in Qualys report: https://www.ssllabs.com/ssldb/analyze.html?d=webmail.wenske.fr :-) Thanks you again for your support, Cheers, Sebastian De : Dean Weimer [dwei...@orscheln.com] Date d'envoi : mardi 16 novembre 2010 16:13 À : Sébastien WENSKE Cc : squid-users@squid-cache.org Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported >Hi Amos, > >Glad to hear you, I have already try and retry this one, but no changes... >this is freaky and I'm tired :) > >I will continue tomorrow, I think I need to find a guide to compile squid with >"non-system" ssl >libraries/headers. > >Otherwise, is there a way to know with wich openssl squid is compiled??? >Because à every time squid will run >correctly in ssl mode... :-/ > >Man thanks, > >Sebastian -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : lundi 15 novembre 2010 23:55 À : Sébastien WENSKE Cc : Dean Weimer; squid-users@squid-cache.org Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported On Mon, 15 Nov 2010 21:33:40 +, Sébastien WENSKE wrote: >I think this should be > --with-openssl=/usr/src/openssl/openssl-1.0.0a/ > > > I'm lost ... I need to fix this issue before implementing this in my > company ... > Sébastien, If it helps, my system had openssl installed with the following options. ./config --prefix=/usr/local --openssldir=/usr/local/etc/ssl -fPIC shared make make install Squid had the following options for enabling openssl --enable-ssl --with-openssl=/usr/local In your squid source directory, look for the config.log Amos mentioned, and in it the following lines should indicate which path it found your openssl libraries under. configure:26112: checking openssl/err.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/err.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/err.h configure:26232: result: yes configure:26112: checking openssl/md5.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/md5.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/md5.h configure:26232: result: yes configure:26112: checking openssl/ssl.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/ssl.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/ssl.h configure:26232: result: yes configure:26112: checking openssl/x509v3.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/x509v3.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/x509v3.h configure:26232: result: yes >From examining these paths on mine, and looking under the source build >directory for openssl-1.0.0a, it looks like Amos is indeed correct that the >path for your system should be --with-openssl=/usr/src/openssl/openssl-1.0.0a >also verify that /usr/src/openssl/openssl-1.0.0a/include/openssl does indeed >exist on your system and it contains the *.h files shown in the output from >the config.log listed above (should actually be linked files under the source >tree, but that shouldn't matter). Thanks, Dean Weimer Network Administrator Orscheln Management Co
RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
>Hi Amos, > >Glad to hear you, I have already try and retry this one, but no changes... >this is freaky and I'm tired :) > >I will continue tomorrow, I think I need to find a guide to compile squid with >"non-system" ssl >libraries/headers. > >Otherwise, is there a way to know with wich openssl squid is compiled??? >Because à every time squid will run >correctly in ssl mode... :-/ > >Man thanks, > >Sebastian -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : lundi 15 novembre 2010 23:55 À : Sébastien WENSKE Cc : Dean Weimer; squid-users@squid-cache.org Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported On Mon, 15 Nov 2010 21:33:40 +, Sébastien WENSKE wrote: >I think this should be > --with-openssl=/usr/src/openssl/openssl-1.0.0a/ > > > I'm lost ... I need to fix this issue before implementing this in my > company ... > Sébastien, If it helps, my system had openssl installed with the following options. ./config --prefix=/usr/local --openssldir=/usr/local/etc/ssl -fPIC shared make make install Squid had the following options for enabling openssl --enable-ssl --with-openssl=/usr/local In your squid source directory, look for the config.log Amos mentioned, and in it the following lines should indicate which path it found your openssl libraries under. configure:26112: checking openssl/err.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/err.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/err.h configure:26232: result: yes configure:26112: checking openssl/md5.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/md5.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/md5.h configure:26232: result: yes configure:26112: checking openssl/ssl.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/ssl.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/ssl.h configure:26232: result: yes configure:26112: checking openssl/x509v3.h usability configure:26129: g++ -c -g -O2 -I/usr/local/include conftest.cpp >&5 configure:26136: $? = 0 configure:26150: result: yes configure:26154: checking openssl/x509v3.h presence configure:26169: g++ -E -I/usr/local/include conftest.cpp configure:26176: $? = 0 configure:26190: result: yes configure:26223: checking for openssl/x509v3.h configure:26232: result: yes From examining these paths on mine, and looking under the source build directory for openssl-1.0.0a, it looks like Amos is indeed correct that the path for your system should be --with-openssl=/usr/src/openssl/openssl-1.0.0a also verify that /usr/src/openssl/openssl-1.0.0a/include/openssl does indeed exist on your system and it contains the *.h files shown in the output from the config.log listed above (should actually be linked files under the source tree, but that shouldn't matter). Thanks, Dean Weimer Network Administrator Orscheln Management Co
RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
> > -Message d'origine- > De : Amos Jeffries > > On Mon, 15 Nov 2010 21:33:40 +, Sébastien WENSKE wrote: >> Thanks for your support Dean, but I'm definitively a n00b :) I had >> compile many times (without error) with some ssl paths, but no result >> I got the same result on the scan... >> >> I compiled openssl with no particular option (no make install) >> >> ./configure --localstatedir=/var --prefix=/usr >> --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin >> --libexecdir=/usr/lib/squid --exec-prefix=/usr --sysconfdir=/etc/squid >> --enable-x-accelerator-vary --with-default-user=proxy --enable-ssl >> --enable-follow-x-forwarded-for --enable-underscores >> --enable-delay-pools --enable-cache-digests --enable-auth="basic" >> --enable-ecap >> --with-openssl=/usr/src/openssl/openssl-1.0.0a/include/openssl > > I think this should be > --with-openssl=/usr/src/openssl/openssl-1.0.0a/ > >> >> I'm lost ... I need to fix this issue before implementing this in my >> company ... >> >> Cheers, >> >> Sebastian >> On Mon, 15 Nov 2010 23:39:31 +, Sébastien WENSKE wrote: > Hi Amos, > > Glad to hear you, I have already try and retry this one, but no changes... > this is freaky and I'm tired :) > > I will continue tomorrow, I think I need to find a guide to compile squid > with "non-system" ssl libraries/headers. > > Otherwise, is there a way to know with wich openssl squid is compiled??? > Because à every time squid will run correctly in ssl mode... :-/ The config.log file will show which openssl libraries are searched for and found. Along with any problems in the detection. A dump of stdout from a new "make" will contain the full set of things linked to the "squid" binary. Including the full-path of any custom libraries. There should also be tools around to show which libraries any given pre-built binary loads. I can't think of any off the top of my head right now though. HTH Amos
RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
Hi Amos, Glad to hear you, I have already try and retry this one, but no changes... this is freaky and I'm tired :) I will continue tomorrow, I think I need to find a guide to compile squid with "non-system" ssl libraries/headers. Otherwise, is there a way to know with wich openssl squid is compiled??? Because à every time squid will run correctly in ssl mode... :-/ Man thanks, Sebastian -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : lundi 15 novembre 2010 23:55 À : Sébastien WENSKE Cc : Dean Weimer; squid-users@squid-cache.org Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported On Mon, 15 Nov 2010 21:33:40 +, Sébastien WENSKE wrote: > Thanks for your support Dean, but I'm definitively a n00b :) I had > compile many times (without error) with some ssl paths, but no result > I got the same result on the scan... > > I compiled openssl with no particular option (no make install) > > ./configure --localstatedir=/var --prefix=/usr > --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin > --libexecdir=/usr/lib/squid --exec-prefix=/usr --sysconfdir=/etc/squid > --enable-x-accelerator-vary --with-default-user=proxy --enable-ssl > --enable-follow-x-forwarded-for --enable-underscores > --enable-delay-pools --enable-cache-digests --enable-auth="basic" > --enable-ecap > --with-openssl=/usr/src/openssl/openssl-1.0.0a/include/openssl I think this should be --with-openssl=/usr/src/openssl/openssl-1.0.0a/ > > I'm lost ... I need to fix this issue before implementing this in my > company ... > > Cheers, > > Sebastian > smime.p7s Description: S/MIME cryptographic signature
RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
On Mon, 15 Nov 2010 21:33:40 +, Sébastien WENSKE wrote: > Thanks for your support Dean, but I'm definitively a n00b :) > I had compile many times (without error) with some ssl paths, but no > result I got the same result on the scan... > > I compiled openssl with no particular option (no make install) > > ./configure --localstatedir=/var --prefix=/usr --includedir=/usr/include > --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid > --exec-prefix=/usr --sysconfdir=/etc/squid --enable-x-accelerator-vary > --with-default-user=proxy --enable-ssl --enable-follow-x-forwarded-for > --enable-underscores --enable-delay-pools --enable-cache-digests > --enable-auth="basic" --enable-ecap > --with-openssl=/usr/src/openssl/openssl-1.0.0a/include/openssl I think this should be --with-openssl=/usr/src/openssl/openssl-1.0.0a/ > > I'm lost ... I need to fix this issue before implementing this in my > company ... > > Cheers, > > Sebastian > > -Message d'origine- > De : Dean Weimer [mailto:dwei...@orscheln.com] > Envoyé : lundi 15 novembre 2010 19:56 > À : Sébastien WENSKE; squid-users@squid-cache.org > Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse > PROXY - Insecure Renegotiation Supported > >> -Original Message- >> From: Sébastien WENSKE [mailto:sebast...@wenske.fr] >> Sent: Monday, November 15, 2010 11:29 AM >> To: squid-users@squid-cache.org >> Subject: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL >> Reverse PROXY >> - Insecure Renegotiation Supported >> >> Thanks Dean, >> >> I have tried to compile with openssl 10.0.0a, but I get the same >> result... >> even with sslproxy_ directives. >> >> Can you check your server on https://www.ssllabs.com/ssldb/index.html >> just to see >> >> In my case: >> >> browser <--- HTTPS > reverse proxy (squid 3.1.9) < HTTP -> >> OWA >> 2010 (IIS 7.5) >> >> Maybe I miss something, how can I see which version of openssl is use >> in squid ? >> > > Here is the information I got back, minus the certificate section, the > overall score was a 91. When you compiled with openssl, make sure to use > the --with-openssl=[DIR] to specify your path. To make sure you hit the > version you installed, and not the local system libraries as they may > differ. Though it would be best to update the local system libraries as > well if possible. > > Protocols > TLS 1.2 No > TLS 1.1 No > TLS 1.0 Yes > SSL 3.0 Yes > SSL 2.0+ Upgrade Support Yes > SSL 2.0 No > > > Cipher Suites (sorted; server has no preference) > TLS_RSA_WITH_IDEA_CBC_SHA (0x7) 128 > TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128 > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 128 > TLS_RSA_WITH_SEED_CBC_SHA (0x96) 128 > TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168 > TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 > > > Miscellaneous > Test date Mon Nov 15 18:49:14 UTC 2010 > Test duration 102.430 seconds > Server signature Microsoft-IIS/6.0 > Session resumptionYes > Renegotiation Secure Renegotiation Supported > Strict Transport Security No > TLS Version Tolerance 0x0304: 0x301; 0x0399: 0x301; 0x0499: fail > PCI compliant Yes > FIPS-readyNo > > Thanks, > Dean Weimer > Network Administrator > Orscheln Management Co
RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
Thanks for your support Dean, but I'm definitively a n00b :) I had compile many times (without error) with some ssl paths, but no result I got the same result on the scan... I compiled openssl with no particular option (no make install) ./configure --localstatedir=/var --prefix=/usr --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid --exec-prefix=/usr --sysconfdir=/etc/squid --enable-x-accelerator-vary --with-default-user=proxy --enable-ssl --enable-follow-x-forwarded-for --enable-underscores --enable-delay-pools --enable-cache-digests --enable-auth="basic" --enable-ecap --with-openssl=/usr/src/openssl/openssl-1.0.0a/include/openssl I'm lost ... I need to fix this issue before implementing this in my company ... Cheers, Sebastian -Message d'origine- De : Dean Weimer [mailto:dwei...@orscheln.com] Envoyé : lundi 15 novembre 2010 19:56 À : Sébastien WENSKE; squid-users@squid-cache.org Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported > -Original Message- > From: Sébastien WENSKE [mailto:sebast...@wenske.fr] > Sent: Monday, November 15, 2010 11:29 AM > To: squid-users@squid-cache.org > Subject: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL > Reverse PROXY > - Insecure Renegotiation Supported > > Thanks Dean, > > I have tried to compile with openssl 10.0.0a, but I get the same result... > even with sslproxy_ directives. > > Can you check your server on https://www.ssllabs.com/ssldb/index.html > just to see > > In my case: > > browser <--- HTTPS > reverse proxy (squid 3.1.9) < HTTP -> > OWA > 2010 (IIS 7.5) > > Maybe I miss something, how can I see which version of openssl is use > in squid ? > Here is the information I got back, minus the certificate section, the overall score was a 91. When you compiled with openssl, make sure to use the --with-openssl=[DIR] to specify your path. To make sure you hit the version you installed, and not the local system libraries as they may differ. Though it would be best to update the local system libraries as well if possible. Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3.0 Yes SSL 2.0+ Upgrade SupportYes SSL 2.0 No Cipher Suites (sorted; server has no preference) TLS_RSA_WITH_IDEA_CBC_SHA (0x7) 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)128 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)128 TLS_RSA_WITH_SEED_CBC_SHA (0x96)128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 Miscellaneous Test date Mon Nov 15 18:49:14 UTC 2010 Test duration 102.430 seconds Server signatureMicrosoft-IIS/6.0 Session resumption Yes Renegotiation Secure Renegotiation Supported Strict Transport Security No TLS Version Tolerance 0x0304: 0x301; 0x0399: 0x301; 0x0499: fail PCI compliant Yes FIPS-ready No Thanks, Dean Weimer Network Administrator Orscheln Management Co smime.p7s Description: S/MIME cryptographic signature
RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
> -Original Message- > From: Sébastien WENSKE [mailto:sebast...@wenske.fr] > Sent: Monday, November 15, 2010 11:29 AM > To: squid-users@squid-cache.org > Subject: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY > - Insecure Renegotiation Supported > > Thanks Dean, > > I have tried to compile with openssl 10.0.0a, but I get the same result... > even with sslproxy_ directives. > > Can you check your server on https://www.ssllabs.com/ssldb/index.html just to > see > > In my case: > > browser <--- HTTPS > reverse proxy (squid 3.1.9) < HTTP -> OWA > 2010 (IIS 7.5) > > Maybe I miss something, how can I see which version of openssl is use in squid > ? > Here is the information I got back, minus the certificate section, the overall score was a 91. When you compiled with openssl, make sure to use the --with-openssl=[DIR] to specify your path. To make sure you hit the version you installed, and not the local system libraries as they may differ. Though it would be best to update the local system libraries as well if possible. Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3.0 Yes SSL 2.0+ Upgrade SupportYes SSL 2.0 No Cipher Suites (sorted; server has no preference) TLS_RSA_WITH_IDEA_CBC_SHA (0x7) 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)128 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)128 TLS_RSA_WITH_SEED_CBC_SHA (0x96)128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 Miscellaneous Test date Mon Nov 15 18:49:14 UTC 2010 Test duration 102.430 seconds Server signatureMicrosoft-IIS/6.0 Session resumption Yes Renegotiation Secure Renegotiation Supported Strict Transport Security No TLS Version Tolerance 0x0304: 0x301; 0x0399: 0x301; 0x0499: fail PCI compliant Yes FIPS-ready No Thanks, Dean Weimer Network Administrator Orscheln Management Co
[squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
Thanks Dean, I have tried to compile with openssl 10.0.0a, but I get the same result... even with sslproxy_ directives. Can you check your server on https://www.ssllabs.com/ssldb/index.html just to see In my case: browser <--- HTTPS > reverse proxy (squid 3.1.9) < HTTP -> OWA 2010 (IIS 7.5) Maybe I miss something, how can I see which version of openssl is use in squid ? Tanks, Sebastian. -Message d'origine- De : Dean Weimer [mailto:dwei...@orscheln.com] Envoyé : lundi 15 novembre 2010 16:42 À : Sébastien WENSKE Objet : RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported It was at the bottom ☺ I deleted everything else see below. Thanks, Dean Weimer Network Administrator Orscheln Management Co I have squid compiled from source against Openssl 1.0.0a, with the following options set: https_port x.x.x.x:443 accel cert=xxx.crt key=xxx.key defaultsite=xxx..xxx vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 sslproxy_options NO_SSLv2 sslproxy_cipher ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 It passes the entire test from our PCI (Payment Card Industry) site certification scans, the options and ciphers are set both on the https_port line and on individual lines, not sure if both or only one are required.
RE: [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported
> -Original Message- > From: Sébastien WENSKE [mailto:sebast...@wenske.fr] > Sent: Monday, November 15, 2010 8:44 AM > To: squid-users@squid-cache.org > Subject: [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure > Renegotiation Supported > > Hello guys, > > I have set up a squid as SSL reverse proxy, it works very fine. > > I have checked SSL security against Qualys and they report me that the > server is vulnerable to MITM attacks because it supports insecured > renegotiation > > > There is my SSL relating configuration: > > https_port xx.xx.xx.xx:443 cert=/etc/squid/ssl/RapidSSL_xxx.xxx.xx.crt > key=/etc/squid/ssl/RapidSSL_xxx.xxx.xx.key options=NO_SSLv2 cipher=RSA: > HIGH:!eNULL:!aNULL:!LOW:!RC4 RSA:!RC2 RSA:!EXP:!ADH accel ignore-cc > defaultsite=xxx..xx vhost > [...] > cache_peer 10.x.x.x parent 80 0 front-end-https=on name=sw01 no-query > originserver default login=PASS no-digest > [...] > ssl_unclean_shutdown on > [...] > > > Is it openssl related or squid configuration > > > Many Thanks, > > Sebastian I have squid compiled from source against Openssl 1.0.0a, with the following options set: https_port x.x.x.x:443 accel cert=xxx.crt key=xxx.key defaultsite=xxx..xxx vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 sslproxy_options NO_SSLv2 sslproxy_cipher ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 It passes the entire test from our PCI (Payment Card Industry) site certification scans, the options and ciphers are set both on the https_port line and on individual lines, not sure if both or only one are required. Thanks, Dean Weimer Network Administrator Orscheln Management Co
