Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Squid Proxy with HTTPS Inspection downgrades SSL/TLS Ciphers

    pfSense Packages
    2
    3
    1304
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luchs last edited by

      Hello!

      I just played with the HTTPS inspection feature (ssl-bump and intercept) of the Squid package. Everything works great, but there is a major drawback. The configuration UI does not allow setting the cipher selection for the "cipher=" option of https_port and neither for the sslproxy_cipher parameter. This essentially lets Squid use a default cipher selection which is a trip back to the 1990s. The SSL/TLS connection(s) suddenly allow 40 bit keys, RC4, and everything that has already been broken.

      Please use sane defaults for the "cipher=" option of https_port and the sslproxy_cipher parameter. I use the cipher string from https://bettercrypto.org/ and can recommend everyone to do the same.

      Cheers.

      1 Reply Last reply Reply Quote 0
      • marcelloc
        marcelloc last edited by

        You mean client to squid cipher or squid to web server?

        1 Reply Last reply Reply Quote 0
        • L
          luchs last edited by

          @marcelloc:

          You mean client to squid cipher or squid to web server?

          I meant both connections. AFAIK sslproxy_cipher is for Squid <-> web server, and https_port is for Squid <-> web client. It doesn't hurt to keep both connections with strong SSL/TLS modes.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy