mån 2011-01-24 klockan 20:54 +0100 skrev Henrik Nordström:
> mån 2011-01-24 klockan 17:28 +0100 skrev Ralf Hildebrandt:
>
> > > Making SSLv3-only or TLSv1-only the default from Squid-3.2 onwards.
> >
> > Yes please
>
> Please note that this change will only impact some specific
> configurations and not normal proxying:
>
> * sslbump
> * cache_peer using ssl option. Mostly (only?) used in reverse
> proxy setups.
> * URL rewrites (not redirects) from http to https. Not sure anyone
> uses this.
> * http->https gatewaying for clients not natively supporting
> https. This mode is pretty much obsolete by now, when even the
> simplest clients supports https today.
>
> In normal proxying it's the browsers SSL policy that defines which SSL
> protocol version it will use in it's initial SSL handshake message.
Additionally it seems openssl have already increased the level
internally. In default options (0) clients uses TLSv1 which is rejected
by SSLv2 servers due to protocol incompatibility (TLSv1 and SSLv3 are
compatible, differing in negotiated parameters).
Regards
Henrik
Received on Mon Jan 24 2011 - 21:12:53 MST
This archive was generated by hypermail 2.2.0 : Tue Jan 25 2011 - 12:00:05 MST