[squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported

From: Sébastien WENSKE <sebastien_at_wenske.fr>
Date: Mon, 15 Nov 2010 17:29:11 +0000

Thanks Dean,

I have tried to compile with openssl 10.0.0a, but I get the same result... even with sslproxy_ directives.

Can you check your server on https://www.ssllabs.com/ssldb/index.html just to see....

In my case:

browser <--- HTTPS ----> reverse proxy (squid 3.1.9) <---- HTTP -----> OWA 2010 (IIS 7.5)

Maybe I miss something, how can I see which version of openssl is use in squid ?



-----Message d'origine-----
De : Dean Weimer [mailto:dweimer_at_orscheln.com]
Envoyé : lundi 15 novembre 2010 16:42
À : Sébastien WENSKE
Objet : RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported

It was at the bottom ☺ I deleted everything else see below.

     Dean Weimer
     Network Administrator
     Orscheln Management Co

I have squid compiled from source against Openssl 1.0.0a, with the following options set:

https_port x.x.x.x:443 accel cert=xxx.crt key=xxx.key defaultsite=xxx.xxxx.xxx vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
sslproxy_options NO_SSLv2
sslproxy_cipher ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

It passes the entire test from our PCI (Payment Card Industry) site certification scans, the options and ciphers are set both on the https_port line and on individual lines, not sure if both or only one are required.
Received on Mon Nov 15 2010 - 17:32:43 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 15 2010 - 12:00:02 MST