[squid-users] Question squid on centos 6.5 and poodle

Amos Jeffries squid3 at treenet.co.nz
Fri Oct 17 07:20:37 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/10/2014 7:24 p.m., Alexander Samad wrote:
> Hi
> 
> I am trying to reconfig the ssl setup on a reverse proxy set
> 
> https_port 2.7.3.1:443 accel
> cert=/etc/httpd/conf.d/office.xyz.com.crt 
> key=/etc/httpd/conf.d/office.xyz.com.key 
> dhparams=/etc/httpd/conf.d/office.xyz.com.dhparam 
> defaultsite=office.yieldbroker.com  options=NO_SSLv2,NO_SSLv3 
> cipher=ALL:!SSLv2:!SSLv3 at STRENGTH
> 
> But I only get a limited list of ciphers, completely different
> from openssl ciphers 'ALL:!SSLv2:!SSLv3 at STRENGTH'
> 
> in fact it doesn't seem to look at the cipher option at all

There seems to be some FUD and confusion going around since POODLE was
announced. In particular people mentioning a "cipher" called SSLv3.

The cipher having problems is CBC. The SSLv3 is simply the SSL/TLS
version where that cipher is mandatory to support.

Lets be clear:  cipher != SSL/TLS version

The cipher being unusable now *also* makes the whole version unusable
and dangerous. Just like SSLv2 some years ago when the last of its
ciphers was broken, and TLSv1.0 will someday soon.


The "options=NO_SSLv2,NO_SSLv3" that you have set is sufficient to
close POODLE vulnerability.

NP: Do make sure you have a Squid 3.2 or later, the older ones enabled
some "default" options that are pretty bad these days.

> 
> and pointers on what I am doing wrong
> 
> right now I am left with https_port 2.7.3.1:443 accel
> cert=/etc/httpd/conf.d/office.xyz.com.crt 
> key=/etc/httpd/conf.d/office.xyz.com.key 
> dhparams=/etc/httpd/conf.d/office.xyz.com.dhparam 
> defaultsite=office.yieldbroker.com  options=NO_SSLv2,NO_SSLv3
> 
> but https://www.ssllabs.com/ssltest/ gives me an A- .. no PFS.

That I'm afraid depends on your OpenSSL library. Some of them have PFS
ciphers enabled by default, some you have to add options or ciphers to
get it, some dont support at all.

You do need dhparams= to enable them. But beyond that its all OpenSSL.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUQMNFAAoJELJo5wb/XPRj5QgH/2MHtjt/ZET3RjiwKfb2RL9x
MIrL/vNxxDjzJn0fnrk5iXCOd5Z7rWKjD/SO4BndqnADJh2d6pQSCe2LDYyn4/ZQ
D+giIfRJyYJdPAVpR50PsY/zNqSLWCW8g3/PDCxseRKNayyoOiOaUvU7fBkM4xZD
bdTz5YoHeGXzzeRItLcaWsFN8JZWb9yI34AHJ7AzpugMz68uV/pW9UHciWrpOuj1
hvnO3v/oE7Bu+KcTO5d36Fjmyrk00a60YcEMglZSkc7V80pigNsXA0TdKP0z8lE7
M+2kACtIIuXrzszGyTOMIWRQsxuqYxozVVa3+pwyIUn0QQpqQMJtRN7gPqvkxnM=
=axnA
-----END PGP SIGNATURE-----


More information about the squid-users mailing list