[squid-users] RC4-MD5 cipher is always enabled?

chiasa.men chiasa.men at web.de
Tue Sep 5 08:55:56 UTC 2017 

Am Montag, 4. September 2017, 14:07:54 CEST schrieb Amos Jeffries:
> On 04/09/17 20:36, chiasa.men wrote:
> > "RC4-MD5" seems to be always enabled. Is there a way to prohibit RC4-MD5?
> > 
> > 
> > 
> > squid.conf:
> > https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem
> > key=/ example/key.pem
> 
> Above line configures the what Squid listening port parameters are.
> There are no cipher restrictions listed, so any cipher the library
> configuration allows is accepted on client->Squid connections.
> 
> > sslproxy_version 6
> > sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET
> > sslproxy_cipher ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5
> 
> These lines configure what Squid uses on its outbound server
> connections. Those connections (only) are restricted by !RC4:!MD5.
> 
> 
> Is the problem obvious now?
> 
> 
> To make the Squid listening port reject RC4 or MD5 you need to add an
> ssloptions= or sslcipher= parameter to the port line. Its syntax is the
> same as the values on the sslproxy_* lines.
> 
> 
> PS;
>   To make other services on the machine gain these same TLS protections
> you should find and alter the library config file instead. OpenSSL's
> libssl is a bit unusual, despite being a library it has its own
> system-wide config file just like applications.
> 
> The squid.conf should only contain things which are different from your
> machines basic security profile.
> 
> 
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Thanks, that was easy... but:

That does not work:

https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/
example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5

openssl s_client -connect localhost:3128
140048907216536:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert 
handshake failure:s23_clnt.c:769:


Allowing RC4 and MD5 works:

https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/
example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:RC4:MD5

openssl s_client -connect localhost:3128
    Cipher    : ECDH-ECDSA-RC4-SHA


But openssl works without allowing RC4 and MD5:

openssl s_server -cert /example/cert.pem -key /example/key.pem -cipher 'ECDHE-
ECDSA-AES256-GCM-SHA384:!RC4:!MD5'

openssl s_client -connect localhost:4433 
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384


So I guess the certificate and the openssl part should work. 
Maybe you could give another advice?

btw, the used squid version:
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=$
{prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/
info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/
squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-
tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-
protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -
fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--
sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' 
'--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-
storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-
delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-
x-forwarded-for' '--enable-auth-
basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-
digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-
ntlm=fake,smb_lm' '--enable-external-acl-
helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' 
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--with-openssl' '--enable-
ssl-crtd' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' 
'--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/
log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' 
'--with-large-files' '--with-default-user=proxy' '--enable-build-info=Ubuntu 
linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -
O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-
protector-strong -Wformat -Werror=format-security'

More information about the squid-users mailing list