[squid-users] Squid 3.5.21 "hangs" when trying to connect using unsupported cipher (complete DoS)

Martin Tenev martintinten at gmail.com
Mon Nov 21 17:17:55 UTC 2016

without restricting the ciphers seems to work fine, however some of the
ciphers are vulnerable to attacks...Furthermore I think if I try some weird
cipher which Squid is not supporting the same thing will happen...

On Mon, Nov 21, 2016 at 5:12 PM, Eliezer Croitoru <eliezer at ngtech.co.il>

> But what happens when you are not restricting the cipher with all this mess
> in the options?
> Would then also the DOS from nmap result the same issue?
> Eliezer
> ----
> Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
> Behalf Of Martin Tenev
> Sent: Monday, November 21, 2016 19:01
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] Squid 3.5.21 "hangs" when trying to connect using
> unsupported cipher (complete DoS)
> Hello,
> I am having problems with squid & SSL. I have setup squid in reverse-proxy
> configuration and overall it works fine, however for security reasons I had
> to disable some of the ciphers. I have taken an example configuration from
> http://www.rawiriblundell.com/?p=1442 and my https_port line looks pretty
> much like this (this is the example from the website but the disabled
> ciphers are the same for me as well):
> https_port  443 accel defaultsite=someinternalhost vhost
> cert=/etc/squid/CertAuth/supersecret.crt
> key=/etc/squid/CertAuth/supersecret.key
> RSA-AES256-SHA256:D
> SHA256:AES256-SHA256
> :!DES:!MD5:!PSK:!RC4 dhparams=/etc/squid/CertAuth/dhparams.pem
> During my build I have included the config options --enable-ssl and
> --with-openssl=/usr
> Using the proxy through a browser works fine, but if I try nmap --script
> ssl-enum-ciphers -p 443 <host> or openssl s_client -cipher 'RC4-SHA'
> -connect <host> these commands result in complete DoS for a few minutes. I
> figured out that only the unsupported or disabled ciphers cause this
> problem. Also when I do the openssl connection as shown above the proxy
> will
> be unresponsive as long as openssl is trying to connect using the disabled
> cipher. As soon as it finishes (eg times out unable to connect using RC4)
> the proxy starts serving requests again. I should mention that I am running
> squid inside a docker container if this matters at all.
> The errors in my logs are :
> "Error negotiating SSL connection on FD 22: error 1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO: no shared cipher (1/-1)
> "Error negotiating SSL connection on FD 25: error 1408A10B:SSL
> routines:SSL3_GET_CLIENT_HELLO: wrong version number (1/-1)
> P.S I also tried squid 4, and got exactly the same problem.
> Any help will be much appreciated
> Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161121/3a36f4d6/attachment.html>

More information about the squid-users mailing list