[squid-users] Question squid on centos 6.5 and poodle

Alexander Samad alex at samad.com.au
Mon Oct 20 01:28:11 UTC 2014 

Hi

Thanks for clearing that up. so when i do a openssl ciphers and select
the ciphers i want including the PFS enables oned, i take the list and
try and use it in ciphers= and the list seems to be dissregarded and
only 1 cipher is available. atleast from online checking and with
nmap.

I have nossl2 and nossl3, that covers me for most things apart from PFS.

I am not ready to upgrade to a non RHEL/CEntos version as that has
other implications ! But in the end if I must


I am wondering if thats a known bug or I am configuring it wrongly


this is the cipher list I have tried as well

openssl ciphers 'ALL:!SSLv2:!SSLv3:@STRENGTH'
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256


ldd points to /usr/lib64/libssl.so.10 and

openssl-1.0.1e-30.el6_5.2.x86_64


Alex

On 17 October 2014 18:20, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 17/10/2014 7:24 p.m., Alexander Samad wrote:
>> Hi
>>
>> I am trying to reconfig the ssl setup on a reverse proxy set
>>
>> https_port 2.7.3.1:443 accel
>> cert=/etc/httpd/conf.d/office.xyz.com.crt
>> key=/etc/httpd/conf.d/office.xyz.com.key
>> dhparams=/etc/httpd/conf.d/office.xyz.com.dhparam
>> defaultsite=office.yieldbroker.com  options=NO_SSLv2,NO_SSLv3
>> cipher=ALL:!SSLv2:!SSLv3 at STRENGTH
>>
>> But I only get a limited list of ciphers, completely different
>> from openssl ciphers 'ALL:!SSLv2:!SSLv3 at STRENGTH'
>>
>> in fact it doesn't seem to look at the cipher option at all
>
> There seems to be some FUD and confusion going around since POODLE was
> announced. In particular people mentioning a "cipher" called SSLv3.
>
> The cipher having problems is CBC. The SSLv3 is simply the SSL/TLS
> version where that cipher is mandatory to support.
>
> Lets be clear:  cipher != SSL/TLS version
>
> The cipher being unusable now *also* makes the whole version unusable
> and dangerous. Just like SSLv2 some years ago when the last of its
> ciphers was broken, and TLSv1.0 will someday soon.
>
>
> The "options=NO_SSLv2,NO_SSLv3" that you have set is sufficient to
> close POODLE vulnerability.
>
> NP: Do make sure you have a Squid 3.2 or later, the older ones enabled
> some "default" options that are pretty bad these days.
>
>>
>> and pointers on what I am doing wrong
>>
>> right now I am left with https_port 2.7.3.1:443 accel
>> cert=/etc/httpd/conf.d/office.xyz.com.crt
>> key=/etc/httpd/conf.d/office.xyz.com.key
>> dhparams=/etc/httpd/conf.d/office.xyz.com.dhparam
>> defaultsite=office.yieldbroker.com  options=NO_SSLv2,NO_SSLv3
>>
>> but https://www.ssllabs.com/ssltest/ gives me an A- .. no PFS.
>
> That I'm afraid depends on your OpenSSL library. Some of them have PFS
> ciphers enabled by default, some you have to add options or ciphers to
> get it, some dont support at all.
>
> You do need dhparams= to enable them. But beyond that its all OpenSSL.
>
> Amos
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUQMNFAAoJELJo5wb/XPRj5QgH/2MHtjt/ZET3RjiwKfb2RL9x
> MIrL/vNxxDjzJn0fnrk5iXCOd5Z7rWKjD/SO4BndqnADJh2d6pQSCe2LDYyn4/ZQ
> D+giIfRJyYJdPAVpR50PsY/zNqSLWCW8g3/PDCxseRKNayyoOiOaUvU7fBkM4xZD
> bdTz5YoHeGXzzeRItLcaWsFN8JZWb9yI34AHJ7AzpugMz68uV/pW9UHciWrpOuj1
> hvnO3v/oE7Bu+KcTO5d36Fjmyrk00a60YcEMglZSkc7V80pigNsXA0TdKP0z8lE7
> M+2kACtIIuXrzszGyTOMIWRQsxuqYxozVVa3+pwyIUn0QQpqQMJtRN7gPqvkxnM=
> =axnA
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list