On 17/09/2015 7:18 p.m., Dieter Bloms wrote: > here the ssl relevant part of my squid.conf > --snip-- > http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key > generate-host-certificates=on dhparams=/etc/squid/dhparams.pem > ssl_bump peek step1 > ssl_bump bump all > sslproxy_capath /etc/ssl/certs > sslproxy_options NO_SSLv2:NO_SSLv3:ALL
I'm not sure if this is your problem, but the presence of "ALL" at the end overrides the previous NO_SSLv2:NO_SSLv3 settings. Better not to use "ALL", it enables a lot of known problematic workarounds and hacks for obsolete software. But if you actually need it, place it first then remove the bits you dont want. Same as what is done below for ciphers. > sslproxy_cipher > ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL > --snip-- > > so it would be nice, if anybody with enabled sslbump on squid3.5.8 can > do a GET Request to https://banking.postbank.de/ to see if that works. > (Sorry I cant help with the testing for bump, hopefully Marcus ad Alex responses are useful there). Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
