[Ach] pfSense / Squid SSL/TLS inspection downgrades ciphers

René Pfeiffer lynx at luchs.at
Fri Feb 20 11:35:51 CET 2015


Hello, List!

I just submitted a bugreport to the pfSense bug tracker. The SSL inspection
feature uses Squid with SSL Bump and some unfortunate defaults.

„When enabling the Squid-in-the-middle SSL Bump option on pfSense 2.2/2.2.1
the SSL/TLS connections between server <-> Squid and Squid <-> client can
be downgraded to low secure SSL/TLS ciphers and key sizes. The
configuration UI does not allow setting the cipher selection for the
"cipher=" option of https_port and neither for the sslproxy_cipher
parameter. This essentially lets Squid use a default cipher selection which
is a trip back to the 1990s. The SSL/TLS connection(s) suddenly allow 40
bit keys, RC4, and everything that has already been broken.“

https://redmine.pfsense.org/issues/4453

One can fix this by manually adding the "cipher=" and sslproxy_cipher
parameter with sane cipher strings (Squid uses OpenSSL).

Cheers,
René.

-- 
  )\._.,--....,'``.  fL  Let GNU/Linux work for you while you take a nap.
 /,   _.. \   _\  (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/
`._.-(,_..'--(,_..'`-.;.'  - System administration + Consulting + Teaching -
Got mail delivery problems?  http://web.luchs.at/information/blockedmail.php
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20150220/32e30579/attachment.sig>


More information about the Ach mailing list