[Ach] pfSense / Squid SSL/TLS inspection downgrades ciphers
René Pfeiffer
lynx at luchs.at
Fri Feb 20 11:35:51 CET 2015
Hello, List!
I just submitted a bugreport to the pfSense bug tracker. The SSL inspection
feature uses Squid with SSL Bump and some unfortunate defaults.
„When enabling the Squid-in-the-middle SSL Bump option on pfSense 2.2/2.2.1
the SSL/TLS connections between server <-> Squid and Squid <-> client can
be downgraded to low secure SSL/TLS ciphers and key sizes. The
configuration UI does not allow setting the cipher selection for the
"cipher=" option of https_port and neither for the sslproxy_cipher
parameter. This essentially lets Squid use a default cipher selection which
is a trip back to the 1990s. The SSL/TLS connection(s) suddenly allow 40
bit keys, RC4, and everything that has already been broken.“
https://redmine.pfsense.org/issues/4453
One can fix this by manually adding the "cipher=" and sslproxy_cipher
parameter with sane cipher strings (Squid uses OpenSSL).
Cheers,
René.
--
)\._.,--....,'``. fL Let GNU/Linux work for you while you take a nap.
/, _.. \ _\ (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/
`._.-(,_..'--(,_..'`-.;.' - System administration + Consulting + Teaching -
Got mail delivery problems? http://web.luchs.at/information/blockedmail.php
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20150220/32e30579/attachment.sig>
More information about the Ach
mailing list