[squid-users] Unable to Disable sslv3
rousskov at measurement-factory.com
Thu Sep 13 00:54:26 UTC 2018
On 09/12/2018 03:47 PM, squid at buglecreek.com wrote:
> We are using squid as reverse proxy and we have disabled SSLv3 :
> https_port XXX.XXX.XXX.XXX:443 accel defaultsite=www.example.com
> vhost cert=/etc/....cert.pem key=/etc/....privkey.pem
> cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem
> We have also tried the sslproxy_options as well.
> Using Nessus scanning tool, it reports that SSLv3 is enabled, but not
> Version of Squid is (3.1.23) which is stock RH6 which I know is old,
> but for now we need to use it.
> The only thing we have been able to do so far is add NO_TLSv1 to the
> https_port section. Then the scan comes back clean. Not sure what
> to look at next. Any suggestions?
I can nominate three suspects:
1. Your OpenSSL version does not support/define SSL_OP_NO_SSLv3.
2. Your scanning tool is confused/lying. SSLv3 is actually disabled.
3. Your Squid mishandles SSL_OP_NO_SSLv3 or your configuration.
To detect #1, you can grep source code of your OpenSSL version for the
To detect #2, you can try establishing an SSLv3-only connection to your
Squid https_port using OpenSSL s_client. Sorry, I do not have an exact
s_client command handy.
I cannot give you specific instructions for #3 detection, especially for
such an old Squid version, but a capable developer can confirm that the
configured option is applied successfully using a debugger or debugging
patches. With access to the right setup, it should not take more than an
hour or two (more without Squid knowledge).
More information about the squid-users