[squid-users] Unable to Disable sslv3
Amos Jeffries
squid3 at treenet.co.nz
Thu Sep 13 04:27:02 UTC 2018
On 13/09/18 12:54 PM, Alex Rousskov wrote:
> On 09/12/2018 03:47 PM, squid wrote:
>
>> We are using squid as reverse proxy and we have disabled SSLv3 :
>
>> https_port XXX.XXX.XXX.XXX:443 accel defaultsite=www.example.com
>> vhost cert=/etc/....cert.pem key=/etc/....privkey.pem
>> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE
>> cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem
>
>> We have also tried the sslproxy_options as well.
>
>> Using Nessus scanning tool, it reports that SSLv3 is enabled, but not
>> SSLv2.
>
>> Version of Squid is (3.1.23) which is stock RH6 which I know is old,
>> but for now we need to use it.
>
I assume you mean RHEL6 rather than RH6 from the 1990's, if not, then my
sympathies.
OpenSSL options to disable SSLv3 were not added until Squid-3.2 when
TLS-only support was added.
FYI: the list of currently known security vulnerabilities for Squid-3.1
is so long now that I have given up on trying to list them all in our
wiki. IMHO, even with RHEL patching SSLv3 being enabled is the least of
your worries with that Squid. *PLEASE* upgrade Squid.
The RHEL maintainer is providing a special package for later versions of
Squid (IIRC a Squid-3.4 build) to help get RHEL6 people off it. Also,
Eliezer here is providing packages of current Squid releases for the
Fedora/RHEL/CentOS OS family.
You can remove the EC* ciphers in your config. The extra settings
required to enable use any Elliptic Curve support in the library was not
added until late in the Squid-3.5 series.
Amos
More information about the squid-users
mailing list