On 18/03/2014 3:09 a.m., Eliezer Croitoru wrote:
> I am trying to understand the issue which you are writing about?
> what are you talking about ssl client renegotition?
> what would you like to achive?
> If you can describe it from a user persepective I might be able to
> understand a bit more.
Eliezer,
FYI: SSL v2 and older have protocol capability to re-negotiate the
protocol version and ciphers being used. There is no user perspective
exactly because it is a feature of the SSL handshake. It is also nowdays
considered harmful for security and the latest SSL/TLS standards and BCP
strongly deprecate its use.
Amaury,
It does depend on the OpenSSL version Squid is currently using for SSL
operations because of which protocol is picked first determines whether
it is available or not.
But also on Squid version with a bug in 3.1 and earlier causing the
default to be ON and makes it hard to disable.
In Squid SSL options parameters in various places (http_port/https_port
ssloptions=XX, cache_peer ... ssl-options=XX, and sslproxy_options XX)
can be used to define an explicitly permitted set of OpenSSL options
like renegotiation.
Squid-3.2 and later default SSL options are set to have only the library
default options enabled. The squid.conf setting is *additive* to the
library options, but where you can "add" a NO_* option to disable if the
default for the library is enabled. Thus most example configs start with
a "ALL" or "!ALL" option.
I may be wrong here but believe the RPM thing is likely because RHEL
developers are known to be quite free with back-porting features between
OpenSSL versions and *may* have done so to forcibly disable the
negotiation feature. Not something I would personally be confident about
relying on though without a full investigation of the exact installed
library. Which probably is not worth the time given that a Squid upgrade
should be enough to disable regardless of library.
Amos
>
> Eliezer
>
> On 17/03/2014 15:54, amaury wrote:
>> I would like to know how
>>
>> it's possible to disable ssl client renegotiating. Reading in
>> different
>> maling list, i red that depends on openssl version, but
>> for
>> example I
>> have an other server with the same openssl rpm with apache
>> that It has
>> renegotiation disable.
>> Please, do you have any idea?
>> Thank
>> you
>> Regards,
>>
>>
>
Received on Tue Mar 18 2014 - 04:54:35 MDT
This archive was generated by hypermail 2.2.0 : Tue Mar 18 2014 - 12:00:06 MDT