reverse https with squid

From: Peter Kassies <p.kassies@dont-contact.us>
Date: Fri, 31 May 2002 11:15:30 +0200

Dear developers,

I'm currently using reverse squid with https.
Sofar it works fine with "official Versign certificates" and my own
generated with openssl.

My advice would be to expand the SQUID documentation on this subject.

1) it is important to explain how the used key and certificate should be
used.
It should be without a password. The key can be stripped using openssl.

2) my estimate is that lots of people will experience problems with 56bit
encryption with Microsoft Explorer. This is a known bug. My advice would be
to disable the 56bit cyphers.

In order to do that you need to list in squid.conf the ciphers that you want
to suppport. I think that many users will have problems to find out which
ciphers to use.

You can find out the ciphers which your openssl supports by the following
command:
./openssl ciphers -v

You only want to support the non-56bit ciphers. This can be configured in
squid.conf as:

https_port <youripaddresshere>:443
cert=/usr/local/squid_ssl/etc/certificate.pem
key=/usr/local/squid_ssl/etc/key.pem version=1
cipher=EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:D
HE-DSS-RC4-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:IDEA-CBC-MD5:RC2-CBC-MD5:RC4-MD5
:RC4-64-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:
EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5

Peter
Received on Fri May 31 2002 - 04:42:57 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:15:31 MST