[squid-users] Squid Upgrade from 3.4.12 to 3.5.3 on FreeBSD 10.1 broke Exchange RPC reverse proxy

Amos Jeffries squid3 at treenet.co.nz
Fri Apr 24 02:11:04 UTC 2015


On 24/04/2015 7:11 a.m., dweimer wrote:
> On 04/23/2015 9:24 am, dweimer wrote:
>> I upgraded our Reverse proxy from 3.4.12 to 3.5.3 via the FreeBSD
>> ports last night. It has broken our Outlook RPC over HTTPS. OWA and
>> Phones are still connecting with Active Sync, its just the RPC for
>> Outlook anywhere that is broken.
>>
>> Did anyone else have any issues when upgrading from 3.4 branch to 3.5
>> branch with Outlook RPC?
> 
> In case anyone else is having an issue, I found the solution. Which also
> solved a long standing issue with larger file uploads through
> OWA/ActiveSync/RPC, that we were having. I had to force the cache peer
> to use SSLv3 instead of TLSv1.0 by adding sslversion=3 to the cache peer
> line.
> 
> cache_peer 1.1.1.1 parent 443 0 ssl no-query proxy-only no-digest
> originserver name=exchange2010_parent sslflags=DONT_VERIFY_PEER
> login=PASSTHRU front-end-https=on connection-auth=on sslversion=3
> 
> The HTTPS port line is still enforcing TLSv1.0 or newer, with restricted
> ciphers.
> 
> https_port 1.1.1.2:443 accel cert=... key=...
> options=NO_SSLv2:NO_SSLv3:CIPHER_SERVER_PREFERENCE
> cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4
> 
> 

Ouch. Good to know thank you.

FYI:
That workaround is one to keep an eye on. You may find the workaround
needs undoing at some point soonish.
 MS are officially in the process of releasing updates that remove and
disable SSLv3 support from their software. It began back in Oct/Nov 2014
and seems to be moving across the product range in a staged rollout with
each of the "Patch Tueday" so far (and probaly some future).

Amos




More information about the squid-users mailing list