Thank you, that helped greatly.
cheers
stuart
On 13/08/14 10:09, Will Martin wrote:
I can't offer a comprehensive guide, but I can give you some tips
gleaned from the EZ Proxy mailing list and my own experimentation.
There are some configuration settings you can adjust to improve its
security. Here are the ones from mine:
# Disable old, insecure SSL methods
Option DisableSSL56bit
Option DisableSSL40bit
Option DisableSSLv2
Those go before setting the LoginPortSSL -- in my config.txt, they're
the first thing after the Name directive at the top of the file.
Doing that will help a good bit. Here's the report for my server on SSL
Labs:
https://www.ssllabs.com/ssltest/analyze.html?d=ezproxy.library.und.edu
A marked improvement. Not perfect, but much better.
EZ Proxy embeds a statically linked copy of the SSL libraries, so SSL
upgrades to it only happen when you update EZ Proxy itself. I'm on
version 5.7.32, which still suffers from some old security
vulnerabilities, as you can see in the SSL labs report.
I believe the next version of EZ Proxy is supposed to update the SSL to
support newer protocols. But I'm not sure, and I'm unlikely to find out
of my own. OCLC recently changed their pricing model to a yearly
subscription fee if you want to receive continued updates, and my
university has not chosen to pay for that at this time. So we won't be
getting any further updates until we can find the money for the yearly fee.
Hope this helps.
Will Martin
On 2014-08-12 16:38, Stuart Yeates wrote:
So I just ran my EZproxy through an SSL checker and was shocked by the
outcome:
https://www.ssllabs.com/ssltest/analyze.html?d=login.helicon.vuw.ac.nz
Finding other EZproxy installs in google and checking them gave a
range of answers, some MUCH better, some MUCH worse. Clearly secure
EZproxy is possible, but patchy.
Is there a decent guide to securing EZproxy anywhere?
I'm hoping that it might be as simple as dropping a new openssl
library into a directory within the EZproxy install?
cheers
stuart
