Project

General

Profile

Actions

Feature #6593

closed

squid: allow user to configure DH key size, SINGLE_DH_USE, NO-SSLv3, Cipher-Suites - performance improvement hint

Added by Alexander Wilke over 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Category:
-
Target version:
Start date:
07/09/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:

Description

Squid has some additional options set like:

options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE (and should have "SINGLE_ECDH_USE")

First:
For the user it would be good to have the possibility to modify "NO_SSLv3" using the WebUI to make sure that squid is compatible even with old and insecure protocols. In general noone should use old protocols but it is the same with "untrusted" certificates. There is an option in the WebUI, too, to allow this - even this shouldn't be in a secure environment.

Second:
I understabnd SINGLE_DH_USE this way, that in egnerates a new key for every new connection. So in egneral a DH key only is valdi as long as the connection is. This shouldn't be longer than several hours or so.
From a security point of view DH key size with less than 2048bit is insecure. But this is only valid for DH keys which do not change. For DH keys which change for example with every connection (SINGLE_DH_USE) this should not be a security problem. But increasing the DH key from 1024 up to 2048 bit increases the performance impact by 5x-6x.

So there should be a valid discussion if there should be an option in the WebUI to configure 1024bit DH key and use SINGLE_DH_USE - which will be probably as sescure as or more secure than a static 2048bit DH key.

Third:
Allow the administrator to configure the allowed cipher-suites. Possibility could be tha there is a "recommended" profile which configures the cipher-suites like you did at the moment by default.
Then there could be a custom field where the user can enter the allowed ciphers like "!3DES:HIGH:!RC4" like he wants.

Actions

Also available in: Atom PDF