[squid-users] Unable to Disable sslv3

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 13 00:54:26 UTC 2018

On 09/12/2018 03:47 PM, squid at buglecreek.com wrote:

> We are using squid as reverse proxy and we have disabled SSLv3 :

> https_port XXX.XXX.XXX.XXX:443 accel defaultsite=www.example.com
> vhost cert=/etc/....cert.pem key=/etc/....privkey.pem
> cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem

> We have also tried the sslproxy_options as well.

> Using Nessus scanning tool, it reports that SSLv3 is enabled, but not
> SSLv2.

> Version of Squid is  (3.1.23) which is stock RH6 which I know is old,
> but for now we need to use it.

> The only thing we have been able to do so far is add NO_TLSv1 to the
> https_port section.  Then the scan comes back clean.   Not sure what
> to look at next.  Any suggestions?

I can nominate three suspects:

  1. Your OpenSSL version does not support/define SSL_OP_NO_SSLv3.
  2. Your scanning tool is confused/lying. SSLv3 is actually disabled.
  3. Your Squid mishandles SSL_OP_NO_SSLv3 or your configuration.

To detect #1, you can grep source code of your OpenSSL version for the
said constant.

To detect #2, you can try establishing an SSLv3-only connection to your
Squid https_port using OpenSSL s_client. Sorry, I do not have an exact
s_client command handy.

I cannot give you specific instructions for #3 detection, especially for
such an old Squid version, but a capable developer can confirm that the
configured option is applied successfully using a debugger or debugging
patches. With access to the right setup, it should not take more than an
hour or two (more without Squid knowledge).



More information about the squid-users mailing list