Re: [squid-users] Disabling client-initiated renegotiation on https_port

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 09 Mar 2012 00:40:46 +1300

On 8/03/2012 8:34 p.m., Marcus Zoller wrote:
> Hello guys,
>
> I am running squid as an reverse proxy and can't find a way to disable the support for client initiated renegotiation. I have tested this using
>
> echo "R" | openssl s_client -connect xxxx:443
>
> which returns
>
> RENEGOTIATING
> .
<snip>
> I have found in src/ssl_support.cc that options is initialized with SSL_OP_ALL. The changelog from the openssl package says:
<snip>
>
> I was unable to find anything like this within squids source but from other posts I've seen that someone else already fixed this problem but unfortunately it is not clear how.
>
> So now I am wondering what I am doing wrong or if there is no support for disabling this functionality available?

We have it disabled by default starting with 3.2, but it was kept out of
3.1 so as not to break existing installations which may be depending on it.

Since you are self-building you can change that SSL_OP_ALL to a "0".

Amos
Received on Thu Mar 08 2012 - 11:43:08 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 08 2012 - 12:00:02 MST