AW: [squid-users] Disabling client-initiated renegotiation on https_port

From: Marcus Zoller <marcus.zoller_at_idnt.net>
Date: Thu, 8 Mar 2012 11:47:22 +0000

Hi Amos,

Many thanks for your fast answer. Did I understand you correctly... all it takes is initializing options with 0 instead of SSL_OP_ALL? Wouldn't this be the same as setting options=!ALL on the https_port config (doing this had no effect)?

Marcus

-----Ursprüngliche Nachricht-----
Von: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Gesendet: Donnerstag, 8. März 2012 12:41
An: squid-users_at_squid-cache.org
Betreff: Re: [squid-users] Disabling client-initiated renegotiation on https_port

On 8/03/2012 8:34 p.m., Marcus Zoller wrote:
> Hello guys,
>
> I am running squid as an reverse proxy and can't find a way to disable the support for client initiated renegotiation. I have tested this using
>
> echo "R" | openssl s_client -connect xxxx:443
>
> which returns
>
> RENEGOTIATING
> .
<snip>
> I have found in src/ssl_support.cc that options is initialized with SSL_OP_ALL. The changelog from the openssl package says:
<snip>
>
> I was unable to find anything like this within squids source but from other posts I've seen that someone else already fixed this problem but unfortunately it is not clear how.
>
> So now I am wondering what I am doing wrong or if there is no support for disabling this functionality available?

We have it disabled by default starting with 3.2, but it was kept out of
3.1 so as not to break existing installations which may be depending on it.

Since you are self-building you can change that SSL_OP_ALL to a "0".

Amos
Received on Thu Mar 08 2012 - 11:47:33 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 08 2012 - 12:00:02 MST