From 98716bd751caf13bd880170cc4a75b35b2a4ac13 Mon Sep 17 00:00:00 2001
From: Fabian Franz <fabian.franz@students.fh-hagenberg.at>
Date: Wed, 22 Mar 2017 11:19:50 +0100
Subject: [PATCH] harden ciphers and tls versions - Note: SSL cannot be
 disabled because it does not exist

---
 src/opnsense/service/templates/OPNsense/Proxy/squid.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index baa1667fa..375be0dad 100644
--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -51,6 +51,9 @@
 sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M {{ OPNsense.proxy.forward.ssl_crtd_storage_max_size|default('4') }}MB
 sslcrtd_children {{ OPNsense.proxy.forward.sslcrtd_children|default('5') }}
 
+sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
+sslproxy_options NO_TLSv1
+
 # setup ssl bump acl's
 acl bump_step1 at_step SslBump1
 acl bump_step2 at_step SslBump2