EZproxy & OpenSSL

EZproxy v6.2.2 was built with OpenSSL 1.0.2j, so it supports TLS 1.0, 1.1, and 1.2.

By default, the following encryption/security options are disabled:

  • SSLv2
  • SSLv3
  • 40 bit encryption keys
  • 56 bit encryption keys

SSL Directives

The following directives can be used to customize OpenSSL settings.

Directive Values Description

SSLCipherSuite

 

OpenSSL ciphers

SSLCipherSuite defaults to the following values:

HIGH:MEDIUM:!ADH:!aNULL:!LOW:!EXP:!SSLv2:@STRENGTH

Additional values can be appended or used to replace those in the default to customize EZproxy OpenSSL security settings.

For more information on how this relates to "grades" issued by evaluator sites like Qualys SSL Labs, please see the January 2017 EZproxy Community Newsletter.

SSLHonorCipherOrder On
Off

Assigning this directive a value On indicates that the EZproxy server should choose the cipher to use when accepting incoming secure connections.

Assigning this directive a value Off indicates that EZproxy should use the client's preferred cipher when accepting incoming secure connections.

SSLOpenSSLConfCmd
Supported Configuration File Commands This directive allows OpenSSL-specific commands to be used to control advanced settings of OpenSSL.

Supported OpenSSL Parameters

The following OpenSSL parameters are compatible with EZproxy.

Parameters Values Description
Diffie-Hellman parameters dhparam These parameters can now be included within a key file in the SSL subdirectory. Such values can be generated with the OpenSSL dhparam command.
Elliptical Curve Parameters ecparam These parameters can now be included within a key file in the SSL subdirectory. Such values can be generated with the OpenSSL ecparam command.

Previous Versions

Details about previous versions of EZproxy and compatibility with OpenSSL can be found below.

EZproxy V6.1.16

EZproxy v6.1.16 was built with OpenSSL 1.0.2h, so it supports TLS 1.0, 1.1, and 1.2.

By default, the following encryption/security options are disabled:

  • SSLv2
  • SSLv3
  • 40 bit encryption keys
  • 56 bit encryption keys

EZproxy V6.0.8

By default, the following encryption/security options are disabled:

  • SSLv2
  • SSLv3
  • 40 bit encryption keys
  • 56 bit encryption keys

Previously these options had to be disabled manually with directives in config.txt.

The new default SSLCipherSuite string is:

HIGH:MEDIUM:!ADH:!Anull:!LOW:!EXP:!SSLv2:@STRENGTH

All other settings available in EZproxy V5.7.44 are available in EZproxy V6.0.8.

EZproxy V5.7.44

EZproxy 5.7.44 supports TLS 1.0. By default however, SSLv2 is enabled, and this must be manually disabled to make TLS 1.0 the default. For more details on SSL 2 and SSL 3, please see http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0. This article also describes transport level security (TLS), the successor to SSL 2 and SSL 3.

By default, the following encryption/security options are disabled:

  • SSLv3

By default, the following encryption/security options are enabled:

  • SSLv2

The following config.txt statements control the SSL/TLS options your instance of EZproxy will use.

Directive Values Description
Option Disable SSLv2
NA By default, EZproxy V5.7.44 disables SSL 3 and enables SSL 2. Because EZproxy V5.7.44 supports TLS 1.0 for client to webserver interactions, OCLC recommends that you also disable SSL 2 in addition to the default-disabled SSL 3.To do this, place Option DisableSSLv2 before any LoginPortSSL statements in your config.txt file. After disable SSL and retaining the default setting of disabled SSL 3, you EZproxy will default to TLS 1.0.
SSLCipherSuite Cipher Strings

SSLCipherSuite offers finer-grained control over SSL/TLS options. We use OpenSSL as our security library layer, and SSLCipherSuite options are passed directly to OpenSSL for processing. EZproxy V5.7.44 supports all of the cipher settings defined by https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-STRINGS.

SSLCipherSuite was introduced with the first V5.7 release. OCLC recommends updating to V5.7.44 if you use SSLCipherSuite. For more details about SSLCipherSuite values and EZproxy directives, see SSLCipherSuite below.

Option EnableSSLv3 NA SSL 2 and SSL 3 are older protocol definitions that normally should not be used. We provide the ability to use them since some legacy environments may need them. If you are using an environment that requires SSL 3, you can force EZproxy to use this protocol by entering Option EnableSSLv3 before an LoginPortSSL statements in your config.txt file, but this is not the recommended setting.

SSLCipherSuite

If SSLCipherSuite is present in config.txt, and no values are defined for this directive, EZproxy defaults to the values:

SSLCipherSuite HIGH:MEDIUM:LOW:EXP:!ADH:!aNULL

The table below provides additional directives that influence the SSLCipherSuite string.

Directive Values Appended to Default
Option DisableSSL56bit
:!LOW!EXP
Option DisableSSL40bit
:!EXP

Option DisableSSL40bit
OR
Option DisableSSLv2

:!SSLv2

After any of the above changes are applied, EZproxy always appends to the default string:

:@STRENGTH

DES and AES Encryption

EZproxy supports, 40 bit encryption, 56 bit encryption, and 128, 192 and 256 bit AES encryption. Encryption keys define the size of the cipher used to encrypt data transmitted via SSL/TLS over https: connections.

40 and 56 bit encryption should be disabled by default; however, OCLC provides 40 and 56 bit encryption for legacy purposes. OCLC recommends that you disable 40 and 56 bit encryption unless you have specific legacy requirements.

To disable 40 bit encryption, add the following statement to your config.txt file:

Option DisableSSL40bit

To disable 56 bit encryption, add the following statement to your config.txt file:

Option DisableSSL56bit

This page last revised: November 15, 2016