[squid-users] Disable SSLv3 on Squid doesn't seem to work
Sebastian Fohler
info at far-galaxy.de
Fri Nov 21 16:07:06 UTC 2014
Thank you Amos,
I've implemented http_port 80 ssl-bump options=NO_SSLv3:NO_SSLv2
Yet still the proxy accepts SSLv3 connections in the sniffing protocol.
Something is still wrong.
Best regards
Sebastian
On 21.11.2014 16:29, Amos Jeffries wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 22/11/2014 3:57 a.m., Sebastian Fohler wrote:
>> I've disabled SSLv3 with this option set in my squid.conf file:
>>
>> sslproxy_options NO_SSLv3 NO_SSLv2
>>
>> But despite that fact, the squid proxy accepted the configuration
>> without any problems, I still get SSLv3 connections working. I've
>> sniffed the traffice on that interface on the proxy port and if I
>> do a SSLv3 connection from the browser and do a poodle check, the
>> sniffing protocol shows an established SSLv3 connection.
>
> The connection between browser and Squid is controlled by the *_port
> settings.
>
> sslproxy_* directives are purely for DIRECT or ORIGINAL_DST server
> connections.
>
>>
>> Can someone tell me if I missed something here?
>
> The sslproxy_options setting is an OpenSSL format string. Which is a
> list of comma (',') or colon (':') separated OpenSSL option names.
>
>
> What you need to configure is something like these:
>
> # to prevent SSL on inbound traffic
> https_port ... options=NO_SSLv3:NO_SSLv2
> http_port ... ssl-bump options=NO_SSLv3:NO_SSLv2
>
> # to prevent SSL on direct server traffic
> sslproxy_options NO_SSLv3:NO_SSLv2
>
> # to prevent SSL on relayed peer connections
> cache_peer ... ssloptions=NO_SSLv3:NO_SSLv2
>
>
>> Is there some option which could override the sslproxy_options
>> setting?
>
> If anything the OpenSSL library configuration may have such options.
> But AFAIK that is for configuring the defaults and squid.conf settings
> are overriding them.
>
>
>> How can I check if the sslproxy_options are really being used?
>
> Good question. I'm not aware of anything in particular. If there is an
> SSL/TLS testing website connecting to it through Squid should tell you.
>
> Amos
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUb1pVAAoJELJo5wb/XPRjTPAIAJiboRyQ7kwCTW9bByF8yT99
> oD/u8W23DQ5p6sl1bfvKGeZBwUIkn5qX6pzF8RDZIWFrz/Fu1N0b7KMpdqQYqsFC
> W/dfyXywucWSmnTj32e47Wa9q1Y4u/r1oa6tDUBCsUM9Dh4iVS2UI6akyy1HkuEk
> Zpxl7iF9UcPyRBZ7cvTl7iZSFHRgPEokdaXNo+qKLDQUpNg5XlK82wf4JY+EUyt1
> AvBz32cCIVz9ErQ5RckCTCV3XTLOUFoAXrbOiApGe07Gum746yAnRzuB07LYCwwY
> 16XL5N+mjw5Gj+70pMGVfaieoQHK7W9L7qJPDLy+JqL7Z2r81GjD4tb6O0txAgo=
> =NbHW
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list