 |
 |
Thank you, that helped greatly. cheers stuart On 13/08/14 10:09, Will Martin wrote: > I can't offer a comprehensive guide, but I can give you some tips > gleaned from the EZ Proxy mailing list and my own experimentation. > > There are some configuration settings you can adjust to improve its > security. Here are the ones from mine: > > # Disable old, insecure SSL methods > Option DisableSSL56bit > Option DisableSSL40bit > Option DisableSSLv2 > > Those go before setting the LoginPortSSL -- in my config.txt, they're > the first thing after the Name directive at the top of the file. > > Doing that will help a good bit. Here's the report for my server on SSL > Labs: > > https://www.ssllabs.com/ssltest/analyze.html?d=ezproxy.library.und.edu > > A marked improvement. Not perfect, but much better. > > EZ Proxy embeds a statically linked copy of the SSL libraries, so SSL > upgrades to it only happen when you update EZ Proxy itself. I'm on > version 5.7.32, which still suffers from some old security > vulnerabilities, as you can see in the SSL labs report. > > I believe the next version of EZ Proxy is supposed to update the SSL to > support newer protocols. But I'm not sure, and I'm unlikely to find out > of my own. OCLC recently changed their pricing model to a yearly > subscription fee if you want to receive continued updates, and my > university has not chosen to pay for that at this time. So we won't be > getting any further updates until we can find the money for the yearly fee. > > Hope this helps. > > Will Martin > > On 2014-08-12 16:38, Stuart Yeates wrote: >> So I just ran my EZproxy through an SSL checker and was shocked by the >> outcome: >> >> https://www.ssllabs.com/ssltest/analyze.html?d=login.helicon.vuw.ac.nz >> >> Finding other EZproxy installs in google and checking them gave a >> range of answers, some MUCH better, some MUCH worse. Clearly secure >> EZproxy is possible, but patchy. >> >> Is there a decent guide to securing EZproxy anywhere? >> >> I'm hoping that it might be as simple as dropping a new openssl >> library into a directory within the EZproxy install? >> >> cheers >> stuart