[squid-users] Squid 3.5.21 "hangs" when trying to connect using unsupported cipher (complete DoS)

Eliezer Croitoru eliezer at ngtech.co.il
Mon Nov 21 17:48:18 UTC 2016 

Can you file a bug at the Bugzilla please?
http://bugs.squid-cache.org/enter_bug.cgi

This is a very important issue to handle for both 3.5 and 4.0.

Eliezer

*	If you are having any trouble handling the Bugzilla let me know and
I will try to help.

----
Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> 
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
 

From: Martin Tenev [mailto:martintinten at gmail.com] 
Sent: Monday, November 21, 2016 19:18
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid 3.5.21 "hangs" when trying to connect
using unsupported cipher (complete DoS)

without restricting the ciphers seems to work fine, however some of the
ciphers are vulnerable to attacks...Furthermore I think if I try some weird
cipher which Squid is not supporting the same thing will happen...

On Mon, Nov 21, 2016 at 5:12 PM, Eliezer Croitoru <eliezer at ngtech.co.il
<mailto:eliezer at ngtech.co.il> > wrote:
But what happens when you are not restricting the cipher with all this mess
in the options?
Would then also the DOS from nmap result the same issue?

Eliezer

----
Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
Linux System Administrator
Mobile: +972-5-28704261 <tel:%2B972-5-28704261> 
Email: eliezer at ngtech.co.il <mailto:eliezer at ngtech.co.il> 


From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org
<mailto:squid-users-bounces at lists.squid-cache.org> ] On
Behalf Of Martin Tenev
Sent: Monday, November 21, 2016 19:01
To: squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org> 
Subject: [squid-users] Squid 3.5.21 "hangs" when trying to connect using
unsupported cipher (complete DoS)

Hello,

I am having problems with squid & SSL. I have setup squid in reverse-proxy
configuration and overall it works fine, however for security reasons I had
to disable some of the ciphers. I have taken an example configuration from
http://www.rawiriblundell.com/?p=1442 and my https_port line looks pretty
much like this (this is the example from the website but the disabled
ciphers are the same for me as well):

https_port  443 accel defaultsite=someinternalhost vhost
cert=/etc/squid/CertAuth/supersecret.crt
key=/etc/squid/CertAuth/supersecret.key
options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE
cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES2
5
6-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AE
S
128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:
D
HE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CB
C
3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA25
6
:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPOR
T
:!DES:!MD5:!PSK:!RC4 dhparams=/etc/squid/CertAuth/dhparams.pem

During my build I have included the config options --enable-ssl and
--with-openssl=/usr

Using the proxy through a browser works fine, but if I try nmap --script
ssl-enum-ciphers -p 443 <host> or openssl s_client -cipher 'RC4-SHA'
-connect <host> these commands result in complete DoS for a few minutes. I
figured out that only the unsupported or disabled ciphers cause this
problem. Also when I do the openssl connection as shown above the proxy
will
be unresponsive as long as openssl is trying to connect using the disabled
cipher. As soon as it finishes (eg times out unable to connect using RC4)
the proxy starts serving requests again. I should mention that I am running
squid inside a docker container if this matters at all.

The errors in my logs are :
"Error negotiating SSL connection on FD 22: error 1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO: no shared cipher (1/-1)

"Error negotiating SSL connection on FD 25: error 1408A10B:SSL
routines:SSL3_GET_CLIENT_HELLO: wrong version number (1/-1)

P.S I also tried squid 4, and got exactly the same problem.

Any help will be much appreciated

Thanks!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 66777 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161121/092fedd6/attachment-0001.bin>

More information about the squid-users mailing list