[squid-users] RC4-MD5 cipher is always enabled?

Eliezer Croitoru eliezer at ngtech.co.il
Wed Sep 6 17:44:45 UTC 2017 

What version of Ubuntu are you using?
I am releasing deb packages for the LTS versions at:
http://ngtech.co.il/repo/ubuntu/

I have yet to update the repo db but the latest version of 3.5 is there for 14.04 and 16.04.(with ssl-bump)

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of chiasa.men
Sent: Wednesday, September 6, 2017 18:34
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] RC4-MD5 cipher is always enabled?

Am Dienstag, 5. September 2017, 11:57:06 CEST schrieb Amos Jeffries:
> On 05/09/17 20:55, chiasa.men wrote> Thanks, that was easy... but:
> > That does not work:
> > 
> > https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem
> > key=/ example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5
> > 
> > openssl s_client -connect localhost:3128
> > 140048907216536:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> > alert handshake failure:s23_clnt.c:769:
> > 
> > 
> > Allowing RC4 and MD5 works:
> > 
> > https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem
> > key=/ example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:RC4:MD5
> > 
> > openssl s_client -connect localhost:3128
> > 
> >      Cipher    : ECDH-ECDSA-RC4-SHA
> > 
> > But openssl works without allowing RC4 and MD5:
> > 
> > openssl s_server -cert /example/cert.pem -key /example/key.pem -cipher
> > 'ECDHE- ECDSA-AES256-GCM-SHA384:!RC4:!MD5'
> > 
> > openssl s_client -connect localhost:4433
> > 
> >      Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
> > 
> > So I guess the certificate and the openssl part should work.
> > Maybe you could give another advice?
> 
> "
> cipher=
> 	Colon separated list of supported ciphers.
> 	NOTE: some ciphers such as EDH ciphers depend on
> 	additional settings. If those settings are
> 	omitted the ciphers may be silently ignored
> 	by the OpenSSL library."
> "
> 
> For the ECDHE-* ciphers to work the server end needs to be configured
> with curve parameters. That is done the tls-dh= option with a curve name
> and
> 
> "
> tls-dh=[curve:]file
> 	File containing DH parameters for temporary/ephemeral DH key
> 	exchanges, optionally prefixed by a curve for ephemeral ECDH
> 	key exchanges.
> 	See OpenSSL documentation for details on how to create the
> 	DH parameter file. Supported curves for ECDH can be listed
> 	using the "openssl ecparam -list_curves" command.
> 
> 	WARNING: EDH and EECDH ciphers will be silently disabled if
> 	this option is not set.
> "
> 
> > btw, the used squid version:
> > Squid Cache: Version 3.5.12
> > Service Name: squid
> > Ubuntu linux
> 
> Please upgrade. Somewhat urgently.
> 
> * TLS/SSL has had a *lot* of progress in the past few years. There are
> many security related issues resolved in the latest releases which exist
> in the older ones.
> 
> * ECDHE is a good example of the change. It is not supported *at all* by
> that old version of Squid.
> 
> When using TLS/SSL support Squid-3.5.24 is currently the oldest
> acceptable Squid release as it contains extra mitigation for TLS DoS
> vulnerabilities. The current 3.5.27 would be best from the 3.5 series.
> 
> If you are not already aware there is no official security
> support/tracking from Debian and Ubuntu for TLS/SSL vulnerabilities as
> their packages do not ship with OpenSSL support. So following their
> stable/security package version is of no benefit for TLS/SSL issues, you
> need to track upstream releases yourself when custom building software
> (that goes for anything, not just Squid).
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Thanks - rtfm often helps. Sorry for that!

Furthermore my certificates were not corresponding to the ecc so I had to 
regenerate them via "openssl ecparam" (not openssl rsa). Kind of obvious but I 
just forgot about them.

The version was simply compiled via apt source on Ubuntu. I'm using the 
current version now (un/fortunately Ubuntu is not bleeding edge)

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list