Re: [squid-users] Disable DLS compression in squid reverse proxy on Ubuntu

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 15 Oct 2013 14:30:45 +1300

On 15/10/2013 2:19 p.m., PSA4444 wrote:
> I am trying to disable TLS compression in squid 3.2 running in reverse proxy
> mode.
> It's running on Ubuntu 12.04.
>
> root_at_ip-10-0-0-xx:~# openssl s_client -connect localhost:443
> ...
> Compression: zlib compression
> Expansion: zlib compression
> Compression: 1 (zlib compression)
>
> As opposed to:
>
> Compression: NONE
> Expansion: NONE
>
> #This is my https port setup:
> https_port 443 accel cert=/path/to/cert.cert key=/path/to/key.pem vhost
> defaultsite=www.mysite.com
> cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
>
> #And I have tried the no_comp ssl flag. (We need the DONT_VERIFY_PEER for
> now):
> sslproxy_flags DONT_VERIFY_PEER no_comp

The flags has case-sensitive naming:

    No_Compression

>
> Has the situation changed since this:
> http://www.squid-cache.org/mail-archive/squid-users/201210/0166.html
>
> ?

Yes things have changed since then. Sebastien identified the OpenSSL
flag to disable TLS compression and it has been supported since 3.2.7
release.

> Has anyone else managed to disable tls compression in Ubuntu 12.04?

Check your Squid version number (squid -v) and OpenSSL library version
capabilities. The flag is only confirmed working in OpenSSL versions
released after CRIME/BEAST attacks were identified.

Amos
Received on Tue Oct 15 2013 - 01:30:55 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 15 2013 - 12:00:05 MDT