[squid-users] RC4-MD5 cipher is always enabled?

Amos Jeffries squid3 at treenet.co.nz
Tue Sep 5 09:57:06 UTC 2017

On 05/09/17 20:55, chiasa.men wrote> Thanks, that was easy... but:
> That does not work:
> https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/
> example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5
> openssl s_client -connect localhost:3128
> 140048907216536:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake failure:s23_clnt.c:769:
> Allowing RC4 and MD5 works:
> https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem key=/
> example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:RC4:MD5
> openssl s_client -connect localhost:3128
>      Cipher    : ECDH-ECDSA-RC4-SHA
> But openssl works without allowing RC4 and MD5:
> openssl s_server -cert /example/cert.pem -key /example/key.pem -cipher 'ECDHE-
> ECDSA-AES256-GCM-SHA384:!RC4:!MD5'
> openssl s_client -connect localhost:4433
>      Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
> So I guess the certificate and the openssl part should work.
> Maybe you could give another advice?

	Colon separated list of supported ciphers.
	NOTE: some ciphers such as EDH ciphers depend on
	additional settings. If those settings are
	omitted the ciphers may be silently ignored
	by the OpenSSL library."

For the ECDHE-* ciphers to work the server end needs to be configured 
with curve parameters. That is done the tls-dh= option with a curve name 

	File containing DH parameters for temporary/ephemeral DH key
	exchanges, optionally prefixed by a curve for ephemeral ECDH
	key exchanges.
	See OpenSSL documentation for details on how to create the
	DH parameter file. Supported curves for ECDH can be listed
	using the "openssl ecparam -list_curves" command.

	WARNING: EDH and EECDH ciphers will be silently disabled if
	this option is not set.

> btw, the used squid version:
> Squid Cache: Version 3.5.12
> Service Name: squid
> Ubuntu linux

Please upgrade. Somewhat urgently.

* TLS/SSL has had a *lot* of progress in the past few years. There are 
many security related issues resolved in the latest releases which exist 
in the older ones.

* ECDHE is a good example of the change. It is not supported *at all* by 
that old version of Squid.

When using TLS/SSL support Squid-3.5.24 is currently the oldest 
acceptable Squid release as it contains extra mitigation for TLS DoS 
vulnerabilities. The current 3.5.27 would be best from the 3.5 series.

If you are not already aware there is no official security 
support/tracking from Debian and Ubuntu for TLS/SSL vulnerabilities as 
their packages do not ship with OpenSSL support. So following their 
stable/security package version is of no benefit for TLS/SSL issues, you 
need to track upstream releases yourself when custom building software 
(that goes for anything, not just Squid).


More information about the squid-users mailing list