Configure OpenSSL directives

Supported OpenSSL parameters

The following OpenSSL parameters are compatible with EZproxy.

Previous versions

Details about previous versions of EZproxy and compatibility with OpenSSL can be found below.

EZproxy V7.2

EZproxy 7.2 was built with the most current Long Term Support release of OpenSSL (1.1.1j). It supports TLS 1.0, 1.1, and 1.2. By default, the following encryption/security options are disabled:

• Inbound connections from browsers support ECDHE-RSA-AES256-GCM-SHA384 and ECDHE-RSA-AES128-GCM-SHA256.
• Outbound connections to content providers default to a more tolerant configuration of ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4 . This change avoids breaking connectivity to content providers that may not have raised their minimum standards to EZproxy's new default.
• The outbound requirements can be increased to match the new inbound default with the directive:

        SSLCipherSuite -outbound ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256

• Although this should no longer be necessary, if TLS 1.1 is required in either direction, it can be enabled with either or both of these directives:

        SSLOpenSSLConfCmd -inbound MinProtocol TLSv1.1

        SSLOpenSSLConfCmd -outbound MinProtocol TLSv1.1

The default SSLCipherSuite string remains unchanged from v6.3.5.

EZproxy V7.1.17

EZproxy 7.1.17 was built with the most current Long Term Support release of OpenSSL (1.1.1j). It supports TLS 1.0, 1.1, and 1.2. By default, the following encryption/security options are disabled:

• RC4
• SSLv2
• SSLv3
• 40 bit encryption keys
• 56 bit encryption keys

The default SSLCipherSuite string remains unchanged from v6.3.5.

EZproxy V7.1

EZproxy v7.1 was built with OpenSSL 1.1.1i, so it supports TLS 1.0, 1.1, and 1.2. By default, the following encryption/security options are disabled:

• RC4
• SSLv2
• SSLv3
• 40 bit encryption keys
• 56 bit encryption keys

The default SSLCipherSuite string remains unchanged from v6.3.5.

EZproxy V7.0.16

EZproxy v7.0.16 was built with OpenSSL 1.1.1f, so it supports TLS 1.0, 1.1, and 1.2. By default, the following encryption/security options are disabled:

• RC4
• SSLv2
• SSLv3
• 40 bit encryption keys
• 56 bit encryption keys

The default SSLCipherSuite string remains unchanged from v6.3.5.

EZproxy V6.5.2

EZproxy v6.5.2 was built with OpenSSL 1.0.2q, so it supports TLS 1.0, 1.1, and 1.2. By default, the following encryption/security options are disabled:

• RC4
• SSLv2
• SSLv3
• 40 bit encryption keys
• 56 bit encryption keys

The new default SSLCipherSuite string unchanged from v6.3.5.

EZproxy V6.3.5

EZproxy v6.3.5 was built with OpenSSL 1.0.2m, so it supports TLS 1.0, 1.1, and 1.2. By default, the following encryption/security options are disabled:

• RC4
• SSLv2
• SSLv3
• 40 bit encryption keys
• 56 bit encryption keys

The new default SSLCipherSuite string is:

ALL: !EXPORT: !LOW: !aNULL: !eNULL: !SSLv2: !RC4

EZproxy V6.2.2

EZproxy v6.2.2 was built with OpenSSL 1.0.2j, so it supports TLS 1.0, 1.1, and 1.2. By default, the following encryption/security options are disabled:

• SSLv2
• SSLv3
• 40 bit encryption keys
• 56 bit encryption keys

EZproxy V6.1.16

EZproxy v6.1.16 was built with OpenSSL 1.0.2h, so it supports TLS 1.0, 1.1, and 1.2. By default, the following encryption/security options are disabled:

• SSLv2
• SSLv3
• 40 bit encryption keys
• 56 bit encryption keys

 

EZproxy V6.0.8

By default, the following encryption/security options are disabled:

• SSLv2
• SSLv3
• 40 bit encryption keys
• 56 bit encryption keys

Previously these options had to be disabled manually with directives in config.txt.

The new default SSLCipherSuite string is:

HIGH:MEDIUM:!ADH:!Anull:!LOW:!EXP:!SSLv2:@STRENGTH

All other settings available in EZproxy V5.7.44 are available in EZproxy V6.0.8.

EZproxy V5.7.44

EZproxy 5.7.44 supports TLS 1.0. By default however, SSLv2 is enabled, and this must be manually disabled to make TLS 1.0 the default. For more details on SSL 2 and SSL 3, please see http://en.wikipedia.org/wiki/Transpo...2C_2.0_and_3.0. This article also describes transport level security (TLS), the successor to SSL 2 and SSL 3. By default, the following encryption/security options are disabled:

• SSLv3

By default, the following encryption/security options are enabled:

• SSLv2

The following config.txt statements control the SSL/TLS options your instance of EZproxy will use.

Directive	Values	Description
Option Disable SSLv2	NA	By default, EZproxy V5.7.44 disables SSL 3 and enables SSL 2. Because EZproxy V5.7.44 supports TLS 1.0 for client to webserver interactions, OCLC recommends that you also disable SSL 2 in addition to the default-disabled SSL 3.To do this, place Option DisableSSLv2 before any LoginPortSSL statements in your config.txt file. After disable SSL and retaining the default setting of disabled SSL 3, you EZproxy will default to TLS 1.0.
SSLCipherSuite	Cipher Strings	SSLCipherSuite offers finer-grained control over SSL/TLS options. We use OpenSSL as our security library layer, and SSLCipherSuite options are passed directly to OpenSSL for processing. EZproxy V5.7.44 supports all of the cipher settings defined by OpenSSL Cipher Strings. SSLCipherSuite was introduced with the first V5.7 release. OCLC recommends updating to V5.7.44 if you use SSLCipherSuite. For more details about SSLCipherSuite values and EZproxy directives, see SSLCipherSuite below.
Option EnableSSLv3	NA	SSL 2 and SSL 3 are older protocol definitions that normally should not be used. We provide the ability to use them since some legacy environments may need them. If you are using an environment that requires SSL 3, you can force EZproxy to use this protocol by entering Option EnableSSLv3 before an LoginPortSSL statements in your config.txt file, but this is not the recommended setting.