[squid-users] Squid Upgrade from 3.4.12 to 3.5.3 on FreeBSD 10.1 broke Exchange RPC reverse proxy

Daniel K. Lima dklima at gmail.com
Fri Apr 24 02:56:09 UTC 2015


At jun, Firefox will drop entirely it support for sslv3.
On Thu, Apr 23, 2015 at 11:11 PM Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 24/04/2015 7:11 a.m., dweimer wrote:
> > On 04/23/2015 9:24 am, dweimer wrote:
> >> I upgraded our Reverse proxy from 3.4.12 to 3.5.3 via the FreeBSD
> >> ports last night. It has broken our Outlook RPC over HTTPS. OWA and
> >> Phones are still connecting with Active Sync, its just the RPC for
> >> Outlook anywhere that is broken.
> >>
> >> Did anyone else have any issues when upgrading from 3.4 branch to 3.5
> >> branch with Outlook RPC?
> >
> > In case anyone else is having an issue, I found the solution. Which also
> > solved a long standing issue with larger file uploads through
> > OWA/ActiveSync/RPC, that we were having. I had to force the cache peer
> > to use SSLv3 instead of TLSv1.0 by adding sslversion=3 to the cache peer
> > line.
> >
> > cache_peer 1.1.1.1 parent 443 0 ssl no-query proxy-only no-digest
> > originserver name=exchange2010_parent sslflags=DONT_VERIFY_PEER
> > login=PASSTHRU front-end-https=on connection-auth=on sslversion=3
> >
> > The HTTPS port line is still enforcing TLSv1.0 or newer, with restricted
> > ciphers.
> >
> > https_port 1.1.1.2:443 accel cert=... key=...
> > options=NO_SSLv2:NO_SSLv3:CIPHER_SERVER_PREFERENCE
> > cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4
> >
> >
>
> Ouch. Good to know thank you.
>
> FYI:
> That workaround is one to keep an eye on. You may find the workaround
> needs undoing at some point soonish.
>  MS are officially in the process of releasing updates that remove and
> disable SSLv3 support from their software. It began back in Oct/Nov 2014
> and seems to be moving across the product range in a staged rollout with
> each of the "Patch Tueday" so far (and probaly some future).
>
> Amos
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150424/551e3b00/attachment.html>


More information about the squid-users mailing list