squid官网:http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html
方法一、中的https_port选项“
:
SSL Options:
cert= Path to SSL certificate (PEM format).
key= Path to SSL private key file (PEM format)
if not specified, the certificate file is
assumed to be a combined certificate and
key file.
version= The version of SSL/TLS supported
1 automatic (default)
2 SSLv2 only
3 SSLv3 only
4 TLSv1 only
options= Various SSL engine options. The most important
being:
NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1
SINGLE_DH_USE Always create a new key when using
temporary/ephemeral DH key exchanges
SINGLE_ECDH_USE
Enable ephemeral ECDH key exchange.
The adopted curve should be specified
using the tls-dh option.
See src/ssl_support.c or OpenSSL SSL_CTX_set_options
documentation for a complete list of options.
version只有1-4
方法二、
sslproxy_options NO_SSLv2
sslproxy_options NO_SSLv3
sslproxy_options NO_TLSv1
sslproxy_options NO_TLSv1_1
sslproxy_version 6
但NO_TLSv1 和NO_TLSv1_1不起作用。sslproxy_version 6也不起作用。就是说设置6的话都不行。
squid3.5.23编译不能用最新的openssl 1.1.0c,可以用openssl 1.0.2g,但编译后,无法启动https_port version=6,此时仍然出现漏洞。
sslproxy_options NO_SSLv2,此种方法也可行,但无法sslproxy_options NO_TLSv1和sslproxy_options NO_TLSv1_1,即高版本无法禁止。
扫一扫
5342
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
