[squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported

From: S�bastien WENSKE <sebastien_at_wenske.fr>
Date: Mon, 15 Nov 2010 14:43:38 +0000

Hello guys,

I have set up a squid as SSL reverse proxy, it works very fine.

I have checked SSL security against Qualys and they report me that the
server is vulnerable to MITM attacks because it supports insecured
renegotiation

There is my SSL relating configuration:

https_port xx.xx.xx.xx:443 cert=/etc/squid/ssl/RapidSSL_xxx.xxxxxxx.xx.crt
key=/etc/squid/ssl/RapidSSL_xxx.xxxxxxx.xx.key options=NO_SSLv2 cipher=RSA:
HIGH:!eNULL:!aNULL:!LOW:!RC4 RSA:!RC2 RSA:!EXP:!ADH accel ignore-cc
defaultsite=xxx.xxxxxxxx.xx vhost
[...]
cache_peer 10.x.x.x parent 80 0 front-end-https=on name=sw01 no-query
originserver default login=PASS no-digest
[...]
ssl_unclean_shutdown on
[...]

Is it openssl related or squid configuration ????

Many Thanks,

Sebastian

Received on Mon Nov 15 2010 - 14:47:08 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 15 2010 - 12:00:02 MST