Thank you, that helped greatly.
On 13/08/14 10:09, Will Martin wrote:
> I can't offer a comprehensive guide, but I can give you some tips
> gleaned from the EZ Proxy mailing list and my own experimentation.
> There are some configuration settings you can adjust to improve its
> security. Here are the ones from mine:
> # Disable old, insecure SSL methods
> Option DisableSSL56bit
> Option DisableSSL40bit
> Option DisableSSLv2
> Those go before setting the LoginPortSSL -- in my config.txt, they're
> the first thing after the Name directive at the top of the file.
> Doing that will help a good bit. Here's the report for my server on SSL
> A marked improvement. Not perfect, but much better.
> EZ Proxy embeds a statically linked copy of the SSL libraries, so SSL
> upgrades to it only happen when you update EZ Proxy itself. I'm on
> version 5.7.32, which still suffers from some old security
> vulnerabilities, as you can see in the SSL labs report.
> I believe the next version of EZ Proxy is supposed to update the SSL to
> support newer protocols. But I'm not sure, and I'm unlikely to find out
> of my own. OCLC recently changed their pricing model to a yearly
> subscription fee if you want to receive continued updates, and my
> university has not chosen to pay for that at this time. So we won't be
> getting any further updates until we can find the money for the yearly fee.
> Hope this helps.
> Will Martin
> On 2014-08-12 16:38, Stuart Yeates wrote:
>> So I just ran my EZproxy through an SSL checker and was shocked by the
>> Finding other EZproxy installs in google and checking them gave a
>> range of answers, some MUCH better, some MUCH worse. Clearly secure
>> EZproxy is possible, but patchy.
>> Is there a decent guide to securing EZproxy anywhere?
>> I'm hoping that it might be as simple as dropping a new openssl
>> library into a directory within the EZproxy install?