Bug #4453: Squid-in-the-middle SSL Bump downgrades client SSL/TLS connections - pfSense Packages - pfSense bugtracker

Actions

Copy link

Bug #4453

closed

Squid-in-the-middle SSL Bump downgrades client SSL/TLS connections

Added by René Pfeiffer about 9 years ago. Updated over 8 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Squid

Target version:

Start date:

02/20/2015

Due date:

% Done:

Estimated time:

Plus Target Version:

Affected Version:

Affected Plus Version:

Affected Architecture:

All

Description

When enabling the Squid-in-the-middle SSL Bump option on pfSense 2.2/2.2.1 the SSL/TLS connections between server <-> Squid and Squid <-> client can be downgraded to low secure SSL/TLS ciphers and key sizes. The configuration UI does not allow setting the cipher selection for the "cipher=" option of https_port and neither for the sslproxy_cipher parameter. This essentially lets Squid use a default cipher selection which is a trip back to the 1990s. The SSL/TLS connection(s) suddenly allow 40 bit keys, RC4, and everything that has already been broken.

This is a critical bug and may render strong encryption useless once SSL Bump is deployed. Please use sane defaults for the "cipher=" option of https_port and the sslproxy_cipher parameter. I use the cipher string from https://bettercrypto.org/ and can recommend everyone to do the same.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense » pfSense Packages

Custom queries

Bug #4453

Squid-in-the-middle SSL Bump downgrades client SSL/TLS connections

Updated by Kill Bill about 9 years ago

Updated by René Pfeiffer about 9 years ago

Updated by Chris Buechler about 9 years ago

Updated by Kill Bill over 8 years ago

Updated by Kill Bill over 8 years ago

Updated by Chris Buechler over 8 years ago