Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid Proxy with HTTPS Inspection downgrades SSL/TLS Ciphers

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luchs
      last edited by

      Hello!

      I just played with the HTTPS inspection feature (ssl-bump and intercept) of the Squid package. Everything works great, but there is a major drawback. The configuration UI does not allow setting the cipher selection for the "cipher=" option of https_port and neither for the sslproxy_cipher parameter. This essentially lets Squid use a default cipher selection which is a trip back to the 1990s. The SSL/TLS connection(s) suddenly allow 40 bit keys, RC4, and everything that has already been broken.

      Please use sane defaults for the "cipher=" option of https_port and the sslproxy_cipher parameter. I use the cipher string from https://bettercrypto.org/ and can recommend everyone to do the same.

      Cheers.

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        You mean client to squid cipher or squid to web server?

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • L
          luchs
          last edited by

          @marcelloc:

          You mean client to squid cipher or squid to web server?

          I meant both connections. AFAIK sslproxy_cipher is for Squid <-> web server, and https_port is for Squid <-> web client. It doesn't hurt to keep both connections with strong SSL/TLS modes.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.