[squid-users] Disable SSLv3 on Squid doesn't seem to work

Amos Jeffries squid3 at treenet.co.nz
Fri Nov 21 15:29:26 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22/11/2014 3:57 a.m., Sebastian Fohler wrote:
> I've disabled SSLv3 with this option set in my squid.conf file:
> 
> sslproxy_options NO_SSLv3 NO_SSLv2
> 
> But despite that fact, the squid proxy accepted the configuration 
> without any problems, I still get SSLv3 connections working. I've
> sniffed the traffice on that interface on the proxy port and if I 
> do a SSLv3 connection from the browser and do a poodle check, the 
> sniffing protocol shows an established SSLv3 connection.

The connection between browser and Squid is controlled by the *_port
settings.

sslproxy_* directives are purely for DIRECT or ORIGINAL_DST server
connections.

> 
> Can someone tell me if I missed something here?

The sslproxy_options setting is an OpenSSL format string. Which is a
list of comma (',') or colon (':') separated OpenSSL option names.


What you need to configure is something like these:

 # to prevent SSL on inbound traffic
 https_port ...  options=NO_SSLv3:NO_SSLv2
 http_port ... ssl-bump options=NO_SSLv3:NO_SSLv2

 # to prevent SSL on direct server traffic
 sslproxy_options NO_SSLv3:NO_SSLv2

 # to prevent SSL on relayed peer connections
 cache_peer ... ssloptions=NO_SSLv3:NO_SSLv2


> Is there some option which could override the sslproxy_options
> setting?

If anything the OpenSSL library configuration may have such options.
But AFAIK that is for configuring the defaults and squid.conf settings
are overriding them.


> How can I check if the sslproxy_options are really being used?

Good question. I'm not aware of anything in particular. If there is an
SSL/TLS testing website connecting to it through Squid should tell you.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUb1pVAAoJELJo5wb/XPRjTPAIAJiboRyQ7kwCTW9bByF8yT99
oD/u8W23DQ5p6sl1bfvKGeZBwUIkn5qX6pzF8RDZIWFrz/Fu1N0b7KMpdqQYqsFC
W/dfyXywucWSmnTj32e47Wa9q1Y4u/r1oa6tDUBCsUM9Dh4iVS2UI6akyy1HkuEk
Zpxl7iF9UcPyRBZ7cvTl7iZSFHRgPEokdaXNo+qKLDQUpNg5XlK82wf4JY+EUyt1
AvBz32cCIVz9ErQ5RckCTCV3XTLOUFoAXrbOiApGe07Gum746yAnRzuB07LYCwwY
16XL5N+mjw5Gj+70pMGVfaieoQHK7W9L7qJPDLy+JqL7Z2r81GjD4tb6O0txAgo=
=NbHW
-----END PGP SIGNATURE-----

More information about the squid-users mailing list