[squid-users] Squid 3.5.21 "hangs" when trying to connect using unsupported cipher (complete DoS)

Martin Vlad martintinten at gmail.com
Tue Nov 22 00:51:39 UTC 2016 

I have submitted a bug : http://bugs.squid-cache.org/show_bug.cgi?id=4639

On Mon, Nov 21, 2016 at 5:48 PM, Eliezer Croitoru <eliezer at ngtech.co.il>
wrote:

> Can you file a bug at the Bugzilla please?
> http://bugs.squid-cache.org/enter_bug.cgi
>
> This is a very important issue to handle for both 3.5 and 4.0.
>
> Eliezer
>
> *       If you are having any trouble handling the Bugzilla let me know and
> I will try to help.
>
> ----
> Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
> From: Martin Tenev [mailto:martintinten at gmail.com]
> Sent: Monday, November 21, 2016 19:18
> To: Eliezer Croitoru <eliezer at ngtech.co.il>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Squid 3.5.21 "hangs" when trying to connect
> using unsupported cipher (complete DoS)
>
> without restricting the ciphers seems to work fine, however some of the
> ciphers are vulnerable to attacks...Furthermore I think if I try some weird
> cipher which Squid is not supporting the same thing will happen...
>
> On Mon, Nov 21, 2016 at 5:12 PM, Eliezer Croitoru <eliezer at ngtech.co.il
> <mailto:eliezer at ngtech.co.il> > wrote:
> But what happens when you are not restricting the cipher with all this mess
> in the options?
> Would then also the DOS from nmap result the same issue?
>
> Eliezer
>
> ----
> Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
> Linux System Administrator
> Mobile: +972-5-28704261 <tel:%2B972-5-28704261>
> Email: eliezer at ngtech.co.il <mailto:eliezer at ngtech.co.il>
>
>
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org
> <mailto:squid-users-bounces at lists.squid-cache.org> ] On
> Behalf Of Martin Tenev
> Sent: Monday, November 21, 2016 19:01
> To: squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> Subject: [squid-users] Squid 3.5.21 "hangs" when trying to connect using
> unsupported cipher (complete DoS)
>
> Hello,
>
> I am having problems with squid & SSL. I have setup squid in reverse-proxy
> configuration and overall it works fine, however for security reasons I had
> to disable some of the ciphers. I have taken an example configuration from
> http://www.rawiriblundell.com/?p=1442 and my https_port line looks pretty
> much like this (this is the example from the website but the disabled
> ciphers are the same for me as well):
>
> https_port  443 accel defaultsite=someinternalhost vhost
> cert=/etc/squid/CertAuth/supersecret.crt
> key=/etc/squid/CertAuth/supersecret.key
> options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE
> cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-
> SHA256:DHE-RSA-AES2
> 5
> 6-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-
> SHA384:ECDHE-RSA-AE
> S
> 128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-
> RSA-AES256-SHA256:
> D
> HE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:
> ECDHE-RSA-DES-CB
> C
> 3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-
> SHA256:AES256-SHA25
> 6
> :AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!
> aNULL:!eNULL:!EXPOR
> T
> :!DES:!MD5:!PSK:!RC4 dhparams=/etc/squid/CertAuth/dhparams.pem
>
> During my build I have included the config options --enable-ssl and
> --with-openssl=/usr
>
> Using the proxy through a browser works fine, but if I try nmap --script
> ssl-enum-ciphers -p 443 <host> or openssl s_client -cipher 'RC4-SHA'
> -connect <host> these commands result in complete DoS for a few minutes. I
> figured out that only the unsupported or disabled ciphers cause this
> problem. Also when I do the openssl connection as shown above the proxy
> will
> be unresponsive as long as openssl is trying to connect using the disabled
> cipher. As soon as it finishes (eg times out unable to connect using RC4)
> the proxy starts serving requests again. I should mention that I am running
> squid inside a docker container if this matters at all.
>
> The errors in my logs are :
> "Error negotiating SSL connection on FD 22: error 1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO: no shared cipher (1/-1)
>
> "Error negotiating SSL connection on FD 25: error 1408A10B:SSL
> routines:SSL3_GET_CLIENT_HELLO: wrong version number (1/-1)
>
> P.S I also tried squid 4, and got exactly the same problem.
>
> Any help will be much appreciated
>
> Thanks!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161122/fb188a77/attachment-0001.html>

More information about the squid-users mailing list