Bug #4453: Squid-in-the-middle SSL Bump downgrades client SSL/TLS connections - pfSense Packages - pfSense bugtracker

Actions

Copy link

Bug #4453

closed

Squid-in-the-middle SSL Bump downgrades client SSL/TLS connections

Added by René Pfeiffer almost 10 years ago. Updated about 9 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Squid

Target version:

Start date:

02/20/2015

Due date:

% Done:

Estimated time:

Plus Target Version:

Affected Version:

Affected Plus Version:

Affected Architecture:

All

Description

When enabling the Squid-in-the-middle SSL Bump option on pfSense 2.2/2.2.1 the SSL/TLS connections between server <-> Squid and Squid <-> client can be downgraded to low secure SSL/TLS ciphers and key sizes. The configuration UI does not allow setting the cipher selection for the "cipher=" option of https_port and neither for the sslproxy_cipher parameter. This essentially lets Squid use a default cipher selection which is a trip back to the 1990s. The SSL/TLS connection(s) suddenly allow 40 bit keys, RC4, and everything that has already been broken.

This is a critical bug and may render strong encryption useless once SSL Bump is deployed. Please use sane defaults for the "cipher=" option of https_port and the sslproxy_cipher parameter. I use the cipher string from https://bettercrypto.org/ and can recommend everyone to do the same.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense » pfSense Packages

Custom queries

Bug #4453

Squid-in-the-middle SSL Bump downgrades client SSL/TLS connections

Updated by Kill Bill almost 10 years ago

Updated by René Pfeiffer almost 10 years ago

Updated by Chris Buechler almost 10 years ago

Updated by Kill Bill about 9 years ago

Updated by Kill Bill about 9 years ago

Updated by Chris Buechler about 9 years ago