[squid-users] Disable SSLv3 on Squid doesn't seem to work

Alexander Samad alex at samad.com.au
Mon Dec 15 03:53:36 UTC 2014 

does that need to be https_port ?

this is what  I have used

https_port 2.7.3.1:443 accel cert=/etc/httpd/conf.d/a,b,c.crt
key=/etc/httpd/conf.d/a.b.c.key defaultsite=a.b.c
options=NO_SSLv2,NO_SSLv3

The only thing I haven't got working is PFS.

I test with https://www.ssllabs.com/

Alex

On 22 November 2014 at 03:07, Sebastian Fohler <info at far-galaxy.de> wrote:
> Thank you Amos,
>
> I've implemented http_port 80 ssl-bump options=NO_SSLv3:NO_SSLv2
> Yet still the proxy accepts SSLv3 connections in the sniffing protocol.
>
> Something is still wrong.
>
> Best regards
> Sebastian
>
>
> On 21.11.2014 16:29, Amos Jeffries wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 22/11/2014 3:57 a.m., Sebastian Fohler wrote:
>>>
>>> I've disabled SSLv3 with this option set in my squid.conf file:
>>>
>>> sslproxy_options NO_SSLv3 NO_SSLv2
>>>
>>> But despite that fact, the squid proxy accepted the configuration
>>> without any problems, I still get SSLv3 connections working. I've
>>> sniffed the traffice on that interface on the proxy port and if I
>>> do a SSLv3 connection from the browser and do a poodle check, the
>>> sniffing protocol shows an established SSLv3 connection.
>>
>>
>> The connection between browser and Squid is controlled by the *_port
>> settings.
>>
>> sslproxy_* directives are purely for DIRECT or ORIGINAL_DST server
>> connections.
>>
>>>
>>> Can someone tell me if I missed something here?
>>
>>
>> The sslproxy_options setting is an OpenSSL format string. Which is a
>> list of comma (',') or colon (':') separated OpenSSL option names.
>>
>>
>> What you need to configure is something like these:
>>
>>   # to prevent SSL on inbound traffic
>>   https_port ...  options=NO_SSLv3:NO_SSLv2
>>   http_port ... ssl-bump options=NO_SSLv3:NO_SSLv2
>>
>>   # to prevent SSL on direct server traffic
>>   sslproxy_options NO_SSLv3:NO_SSLv2
>>
>>   # to prevent SSL on relayed peer connections
>>   cache_peer ... ssloptions=NO_SSLv3:NO_SSLv2
>>
>>
>>> Is there some option which could override the sslproxy_options
>>> setting?
>>
>>
>> If anything the OpenSSL library configuration may have such options.
>> But AFAIK that is for configuring the defaults and squid.conf settings
>> are overriding them.
>>
>>
>>> How can I check if the sslproxy_options are really being used?
>>
>>
>> Good question. I'm not aware of anything in particular. If there is an
>> SSL/TLS testing website connecting to it through Squid should tell you.
>>
>> Amos
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (MingW32)
>>
>> iQEcBAEBAgAGBQJUb1pVAAoJELJo5wb/XPRjTPAIAJiboRyQ7kwCTW9bByF8yT99
>> oD/u8W23DQ5p6sl1bfvKGeZBwUIkn5qX6pzF8RDZIWFrz/Fu1N0b7KMpdqQYqsFC
>> W/dfyXywucWSmnTj32e47Wa9q1Y4u/r1oa6tDUBCsUM9Dh4iVS2UI6akyy1HkuEk
>> Zpxl7iF9UcPyRBZ7cvTl7iZSFHRgPEokdaXNo+qKLDQUpNg5XlK82wf4JY+EUyt1
>> AvBz32cCIVz9ErQ5RckCTCV3XTLOUFoAXrbOiApGe07Gum746yAnRzuB07LYCwwY
>> 16XL5N+mjw5Gj+70pMGVfaieoQHK7W9L7qJPDLy+JqL7Z2r81GjD4tb6O0txAgo=
>> =NbHW
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list