I just committed an SSL policy change to trunk to improve default SSL/TLS security a bit.
Disable OpenSSL SSL/TLS bug workarounds by default On a closer inspection the set of "harmless" SSL/TLS bug workarounds set by SSL_OP_ALL is not all of them harmless and reduces the SSL/TLS strength to some attacks. To revert to the older mode the ALL option can be set explicitly, but it's better to understand which bug is encountered and enable only that specific workaround if needed. We may want to have this backported to 3.2. The functionality of this change is the same as always specifying -ALL followed by any other SSL options you may have in your Squid configuration. Applies to https_port options=... cache_peer ssloptions=... sslproxy_options ... Regards Henrik
