<div dir="ltr">I have submitted a bug : <a href="http://bugs.squid-cache.org/show_bug.cgi?id=4639">http://bugs.squid-cache.org/show_bug.cgi?id=4639</a></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 21, 2016 at 5:48 PM, Eliezer Croitoru <span dir="ltr"><<a href="mailto:eliezer@ngtech.co.il" target="_blank">eliezer@ngtech.co.il</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Can you file a bug at the Bugzilla please?<br>
<a href="http://bugs.squid-cache.org/enter_bug.cgi" rel="noreferrer" target="_blank">http://bugs.squid-cache.org/<wbr>enter_bug.cgi</a><br>
<br>
This is a very important issue to handle for both 3.5 and 4.0.<br>
<br>
Eliezer<br>
<br>
* If you are having any trouble handling the Bugzilla let me know and<br>
I will try to help.<br>
<span class=""><br>
----<br>
Eliezer Croitoru <<a href="http://ngtech.co.il/lmgtfy/" rel="noreferrer" target="_blank">http://ngtech.co.il/lmgtfy/</a>><br>
Linux System Administrator<br>
Mobile: <a href="tel:%2B972-5-28704261" value="+972528704261">+972-5-28704261</a><br>
Email: <a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a><br>
<br>
<br>
</span>From: Martin Tenev [mailto:<a href="mailto:martintinten@gmail.com">martintinten@gmail.com</a><wbr>]<br>
Sent: Monday, November 21, 2016 19:18<br>
To: Eliezer Croitoru <<a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a>><br>
Cc: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
Subject: Re: [squid-users] Squid 3.5.21 "hangs" when trying to connect<br>
<span class="">using unsupported cipher (complete DoS)<br>
<br>
</span><span class="">without restricting the ciphers seems to work fine, however some of the<br>
ciphers are vulnerable to attacks...Furthermore I think if I try some weird<br>
cipher which Squid is not supporting the same thing will happen...<br>
<br>
On Mon, Nov 21, 2016 at 5:12 PM, Eliezer Croitoru <<a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a><br>
</span><span class=""><mailto:<a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a>> > wrote:<br>
But what happens when you are not restricting the cipher with all this mess<br>
in the options?<br>
Would then also the DOS from nmap result the same issue?<br>
<br>
Eliezer<br>
<br>
----<br>
Eliezer Croitoru <<a href="http://ngtech.co.il/lmgtfy/" rel="noreferrer" target="_blank">http://ngtech.co.il/lmgtfy/</a>><br>
Linux System Administrator<br>
</span>Mobile: <a href="tel:%2B972-5-28704261" value="+972528704261">+972-5-28704261</a> <tel:%2B972-5-28704261><br>
Email: <a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a> <mailto:<a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a>><br>
<span class=""><br>
<br>
From: squid-users [mailto:<a href="mailto:squid-users-bounces@lists.squid-cache.org">squid-users-bounces@<wbr>lists.squid-cache.org</a><br>
<mailto:<a href="mailto:squid-users-bounces@lists.squid-cache.org">squid-users-bounces@<wbr>lists.squid-cache.org</a>> ] On<br>
Behalf Of Martin Tenev<br>
Sent: Monday, November 21, 2016 19:01<br>
To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
</span><mailto:<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.<wbr>squid-cache.org</a>><br>
<div class="HOEnZb"><div class="h5">Subject: [squid-users] Squid 3.5.21 "hangs" when trying to connect using<br>
unsupported cipher (complete DoS)<br>
<br>
Hello,<br>
<br>
I am having problems with squid & SSL. I have setup squid in reverse-proxy<br>
configuration and overall it works fine, however for security reasons I had<br>
to disable some of the ciphers. I have taken an example configuration from<br>
<a href="http://www.rawiriblundell.com/?p=1442" rel="noreferrer" target="_blank">http://www.rawiriblundell.com/<wbr>?p=1442</a> and my https_port line looks pretty<br>
much like this (this is the example from the website but the disabled<br>
ciphers are the same for me as well):<br>
<br>
https_port 443 accel defaultsite=someinternalhost vhost<br>
cert=/etc/squid/CertAuth/<wbr>supersecret.crt<br>
key=/etc/squid/CertAuth/<wbr>supersecret.key<br>
options=NO_SSLv2,NO_SSLv3,<wbr>CIPHER_SERVER_PREFERENCE<br>
cipher=ECDHE-RSA-AES256-GCM-<wbr>SHA384:ECDHE-RSA-AES128-GCM-<wbr>SHA256:DHE-RSA-AES2<br>
5<br>
6-GCM-SHA384:DHE-RSA-AES128-<wbr>GCM-SHA256:ECDHE-RSA-AES256-<wbr>SHA384:ECDHE-RSA-AE<br>
S<br>
128-SHA256:ECDHE-RSA-AES256-<wbr>SHA:ECDHE-RSA-AES128-SHA:DHE-<wbr>RSA-AES256-SHA256:<br>
D<br>
HE-RSA-AES128-SHA256:DHE-RSA-<wbr>AES256-SHA:DHE-RSA-AES128-SHA:<wbr>ECDHE-RSA-DES-CB<br>
C<br>
3-SHA:EDH-RSA-DES-CBC3-SHA:<wbr>AES256-GCM-SHA384:AES128-GCM-<wbr>SHA256:AES256-SHA25<br>
6<br>
:AES128-SHA256:AES256-SHA:<wbr>AES128-SHA:DES-CBC3-SHA:HIGH:!<wbr>aNULL:!eNULL:!EXPOR<br>
T<br>
:!DES:!MD5:!PSK:!RC4 dhparams=/etc/squid/CertAuth/<wbr>dhparams.pem<br>
<br>
During my build I have included the config options --enable-ssl and<br>
--with-openssl=/usr<br>
<br>
Using the proxy through a browser works fine, but if I try nmap --script<br>
ssl-enum-ciphers -p 443 <host> or openssl s_client -cipher 'RC4-SHA'<br>
-connect <host> these commands result in complete DoS for a few minutes. I<br>
figured out that only the unsupported or disabled ciphers cause this<br>
problem. Also when I do the openssl connection as shown above the proxy<br>
will<br>
be unresponsive as long as openssl is trying to connect using the disabled<br>
cipher. As soon as it finishes (eg times out unable to connect using RC4)<br>
the proxy starts serving requests again. I should mention that I am running<br>
squid inside a docker container if this matters at all.<br>
<br>
The errors in my logs are :<br>
"Error negotiating SSL connection on FD 22: error 1408A0C1:SSL<br>
routines:SSL3_GET_CLIENT_<wbr>HELLO: no shared cipher (1/-1)<br>
<br>
"Error negotiating SSL connection on FD 25: error 1408A10B:SSL<br>
routines:SSL3_GET_CLIENT_<wbr>HELLO: wrong version number (1/-1)<br>
<br>
P.S I also tried squid 4, and got exactly the same problem.<br>
<br>
Any help will be much appreciated<br>
<br>
Thanks!<br>
<br>
</div></div></blockquote></div><br></div>