Squid Proxy with HTTPS Inspection downgrades SSL/TLS Ciphers
-
Hello!
I just played with the HTTPS inspection feature (ssl-bump and intercept) of the Squid package. Everything works great, but there is a major drawback. The configuration UI does not allow setting the cipher selection for the "cipher=" option of https_port and neither for the sslproxy_cipher parameter. This essentially lets Squid use a default cipher selection which is a trip back to the 1990s. The SSL/TLS connection(s) suddenly allow 40 bit keys, RC4, and everything that has already been broken.
Please use sane defaults for the "cipher=" option of https_port and the sslproxy_cipher parameter. I use the cipher string from https://bettercrypto.org/ and can recommend everyone to do the same.
Cheers.
-
You mean client to squid cipher or squid to web server?
-
You mean client to squid cipher or squid to web server?
I meant both connections. AFAIK sslproxy_cipher is for Squid <-> web server, and https_port is for Squid <-> web client. It doesn't hurt to keep both connections with strong SSL/TLS modes.
