First, you need to have the latest Openssl libraries in order to compile squid within. Then, apply the provided patch before you built squid.
The patch will add an option in https_port directive: “NO_Compression” that tell openssl to disable TLS compression (SSL_OP_NO_COMPRESSION). Why TLS compression is an issue.
root@compil2:/usr/src/squid-3.2.6/src/ssl# patch < squid_3.2.6_noTLScompression.patch
Now in the config file, you have to disable TLS Compression (CRIME Attack) and force the server cipher preferences (BEAST Attack):
vi squid.conf
https_port […] options=NO_SSLv2,NO_TLSv1,NO_Compression,CIPHER_SERVER_PREFERENCE cipher=ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH […]
[wpdm_file id=12 title=”true” ]
Thank you, thank you, thank you
I managed to figure out CRIME, but that cipher list for BEAST was what did the trick for me 😉
you’re welcome !
Probably good to mention that this is not available on openssl < 0.9.9 ??
Hello,
I’ve the same issue to pass the CRIME Attack.
Can you re-post the patch , i don’t see the link on the post.
thanks.
Hi Boris,
My “download plugin” has remove all the file I shared, I don’t have the patch anymore.
But you can find it here: http://www.squid-cache.org/mail-archive/squid-users/201212/0010.html
BTW, I strongly recommend you to upgrade your Squid to newest release.
Cheers!
Ok thanks !!