Re: [squid-users] Re: Cipher Suites

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 11 Feb 2012 14:41:52 +1300

>>
>> On Feb 10, 2012, at 4:33 AM, PS wrote:
>>
>>>> Hello,
>>>> Is there a way for me to force a server to accept the cipher that I
>>>> am choosing? Below you can see my http_port directive.
>>>>
>>>> http_port 3128 ssl-bump generate-host-certificates=on
>>>> dynamic_cert_mem_cache_size=4MB
>>>> key=/usr/local/squid/ssl_cert/private/squid-rsa-3.2.pem
>>>> cert=/usr/local/squid/ssl_cert/squid-3.2.pem version=4 cipher=RC4-SHA
>>>>
>>>> It seems like every site that I connect to while using Squid, the
>>>> server always chooses Cipher Suite:
>>>> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084). I'm not sure why.
>>>> Exactly what does the cipher option do?
>

The value is passes untouched through to the OpenSSL library.
see http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS

SSL details on http_port control what Squid uses when communicating with
the *client*.

SSL details used when communication DIRECT to *servers* use the server
SSL directives starting with sslproxy_*, for example:
   http://www.squid-cache.org/Doc/config/sslproxy_cipher/

Or to set specific details to a peer linkages set the ssl options for
cache_peer.

Amos
Received on Sat Feb 11 2012 - 01:42:03 MST

This archive was generated by hypermail 2.2.0 : Sat Feb 11 2012 - 12:00:02 MST