SSL policy change from Henrik Nordstr�m on 2012-01-21 (squid-dev)

From: Henrik Nordstr�m <henrik_at_henriknordstrom.net>
Date: Sun, 22 Jan 2012 00:23:24 +0100

I just committed an SSL policy change to trunk to improve default
SSL/TLS security a bit.

  Disable OpenSSL SSL/TLS bug workarounds by default

  On a closer inspection the set of "harmless" SSL/TLS bug workarounds
  set by SSL_OP_ALL is not all of them harmless and reduces the SSL/TLS
  strength to some attacks.

  To revert to the older mode the ALL option can be set explicitly, but
  it's better to understand which bug is encountered and enable only that
  specific workaround if needed.

We may want to have this backported to 3.2.

The functionality of this change is the same as always specifying -ALL
followed by any other SSL options you may have in your Squid
configuration.

Applies to

https_port options=...
cache_peer ssloptions=...
sslproxy_options ...

Regards
Henrik
Received on Sat Jan 21 2012 - 23:23:54 MST

This archive was generated by hypermail 2.2.0 : Sun Jan 22 2012 - 12:00:13 MST