On 15/10/2013 2:19 p.m., PSA4444 wrote:
> I am trying to disable TLS compression in squid 3.2 running in reverse proxy
> mode.
> It's running on Ubuntu 12.04.
>
> root_at_ip-10-0-0-xx:~# openssl s_client -connect localhost:443
> ...
> Compression: zlib compression
> Expansion: zlib compression
> Compression: 1 (zlib compression)
>
> As opposed to:
>
> Compression: NONE
> Expansion: NONE
>
> #This is my https port setup:
> https_port 443 accel cert=/path/to/cert.cert key=/path/to/key.pem vhost
> defaultsite=www.mysite.com
> cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
>
> #And I have tried the no_comp ssl flag. (We need the DONT_VERIFY_PEER for
> now):
> sslproxy_flags DONT_VERIFY_PEER no_comp
The flags has case-sensitive naming:
No_Compression
>
> Has the situation changed since this:
> http://www.squid-cache.org/mail-archive/squid-users/201210/0166.html
>
> ?
Yes things have changed since then. Sebastien identified the OpenSSL
flag to disable TLS compression and it has been supported since 3.2.7
release.
> Has anyone else managed to disable tls compression in Ubuntu 12.04?
Check your Squid version number (squid -v) and OpenSSL library version
capabilities. The flag is only confirmed working in OpenSSL versions
released after CRIME/BEAST attacks were identified.
Amos
Received on Tue Oct 15 2013 - 01:30:55 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 15 2013 - 12:00:05 MDT