 |
 |
I can't offer a comprehensive guide, but I can give you some tips gleaned from the EZ Proxy mailing list and my own experimentation. There are some configuration settings you can adjust to improve its security. Here are the ones from mine: # Disable old, insecure SSL methods Option DisableSSL56bit Option DisableSSL40bit Option DisableSSLv2 Those go before setting the LoginPortSSL -- in my config.txt, they're the first thing after the Name directive at the top of the file. Doing that will help a good bit. Here's the report for my server on SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=ezproxy.library.und.edu A marked improvement. Not perfect, but much better. EZ Proxy embeds a statically linked copy of the SSL libraries, so SSL upgrades to it only happen when you update EZ Proxy itself. I'm on version 5.7.32, which still suffers from some old security vulnerabilities, as you can see in the SSL labs report. I believe the next version of EZ Proxy is supposed to update the SSL to support newer protocols. But I'm not sure, and I'm unlikely to find out of my own. OCLC recently changed their pricing model to a yearly subscription fee if you want to receive continued updates, and my university has not chosen to pay for that at this time. So we won't be getting any further updates until we can find the money for the yearly fee. Hope this helps. Will Martin On 2014-08-12 16:38, Stuart Yeates wrote: > So I just ran my EZproxy through an SSL checker and was shocked by the > outcome: > > https://www.ssllabs.com/ssltest/analyze.html?d=login.helicon.vuw.ac.nz > > Finding other EZproxy installs in google and checking them gave a > range of answers, some MUCH better, some MUCH worse. Clearly secure > EZproxy is possible, but patchy. > > Is there a decent guide to securing EZproxy anywhere? > > I'm hoping that it might be as simple as dropping a new openssl > library into a directory within the EZproxy install? > > cheers > stuart