How to pass PCI tests with SQUID

squid-cacheFirst, you need to have the latest Openssl libraries in order to compile squid within. Then, apply the provided patch before you built squid.

The patch will add an option in https_port directive: “NO_Compression” that tell openssl to disable TLS compression (SSL_OP_NO_COMPRESSION). Why TLS compression is an issue.

 root@compil2:/usr/src/squid-3.2.6/src/ssl# patch < squid_3.2.6_noTLScompression.patch

Now in the config file, you have to disable TLS Compression (CRIME Attack) and force the server cipher preferences (BEAST Attack):

vi squid.conf
https_port […] options=NO_SSLv2,NO_TLSv1,NO_Compression,CIPHER_SERVER_PREFERENCE cipher=ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH […]

squid_SSLLABS_PCI_compliant

[wpdm_file id=12 title=”true” ]

6 thoughts on “How to pass PCI tests with SQUID

  1. Thank you, thank you, thank you
    I managed to figure out CRIME, but that cipher list for BEAST was what did the trick for me 😉

  2. Hello,

    I’ve the same issue to pass the CRIME Attack.
    Can you re-post the patch , i don’t see the link on the post.

    thanks.

Leave a Reply

Your email address will not be published.