renegotiation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

renegotiation

Vieri
Hi,

I'm running Squid 4 beta.

# squid -v
Squid Cache: Version 4.0.17-20170122-r14968

I tested the following where Squid is listening on port 443 in accel mode.

# echo "R" | openssl s_client -connect 192.168.101.2:443 2>&1 3>&1 | grep RENEGOTIATING
RENEGOTIATING

How can I disable client renegotiation?

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: renegotiation

Amos Jeffries
Administrator
On 3/02/2017 2:09 a.m., Vieri wrote:

> Hi,
>
> I'm running Squid 4 beta.
>
> # squid -v
> Squid Cache: Version 4.0.17-20170122-r14968
>
> I tested the following where Squid is listening on port 443 in accel mode.
>
> # echo "R" | openssl s_client -connect 192.168.101.2:443 2>&1 3>&1 | grep RENEGOTIATING
> RENEGOTIATING
>
> How can I disable client renegotiation?
>

For what reason is complete disable needed?

Renegotiating to an insecure version or cipher set is an issue to be
fixed by configuring tls-min-version=1.Y and tls-options= disabling
unwanted ciphers etc.

The potential DoS related to renegotiation is now prevented by rate
limiting.

The current generation of OpenSSL libraries (1.0+) all contain built-in
protection from older forms of renegotiate that had other CVE issues.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: renegotiation

Vieri




----- Original Message -----
From: Amos Jeffries <[hidden email]>
> Renegotiating to an insecure version or cipher set is an issue to be
> fixed by configuring tls-min-version=1.Y and tls-options= disabling
> unwanted ciphers etc.
>
> The potential DoS related to renegotiation is now prevented by rate
> limiting.
>
> The current generation of OpenSSL libraries (1.0+) all contain built-in
> protection from older forms of renegotiate that had other CVE issues.


Thanks again, Amos!
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...