Re: reverse https with squid

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 31 May 2002 14:54:00 +0200

Peter Kassies wrote:

> My advice would be to expand the SQUID documentation on this subject.
>
> 1) it is important to explain how the used key and certificate should be
> used.
> It should be without a password. The key can be stripped using openssl.

It can also have a password, in which case you must start Squid using the -N
option to prevent Squid from backgrounding.

> 2) my estimate is that lots of people will experience problems with 56bit
> encryption with Microsoft Explorer. This is a known bug. My advice would be
> to disable the 56bit cyphers.
>
> In order to do that you need to list in squid.conf the ciphers that you
> want to suppport. I think that many users will have problems to find out
> which ciphers to use.

Heck, even I have problems finding out the best cipher list to use.. I don't
think there is a combination that universially works.

> You can find out the ciphers which your openssl supports by the following
> command:
> ./openssl ciphers -v
>
> You only want to support the non-56bit ciphers. This can be configured in
> squid.conf as:
>
> https_port <youripaddresshere>:443
> cert=/usr/local/squid_ssl/etc/certificate.pem
> key=/usr/local/squid_ssl/etc/key.pem version=1
> cipher=EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:
>D
> HE-DSS-RC4-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:IDEA-CBC-MD5:RC2-CBC-MD5:RC4-MD
>5
>
> :RC4-64-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA
> ::
>
> EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5

There most likely can be simpler chiper expressions found for the same
purpose.. such as DEFAULT:-EXPORT56

There is also browsers having problems with TLS..

Regards
Henrik
Received on Fri May 31 2002 - 06:54:04 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:15:31 MST