[squid-users] Problem with SSL client setting in case of erverse proxy

Amos Jeffries squid3 at treenet.co.nz
Thu Aug 11 11:09:14 UTC 2016


On 10/08/2016 6:49 p.m., Frosch Martin wrote:
> Hello,
> 
> I hope I am right here.
> 
> I use Squid Version 3.5.20 as reverse Proxy for Outlook (2010)
> Anywhere and OWA. The problem is that I cannot transfer Files bigger
> than 2MB since the Microsoft Update
> https://technet.microsoft.com/de-de/library/security/3042058. This
> Update brings new Cipher Versions to IIS. Now I want to use older
> Cipher Sites but the following line of Squid config is not working
> 100%.

Why do you want to force bad security when better is available?

> 
> cache_peer X.X.X.X parent 443 0 ssl no-query originserver
> sslflags=DONT_VERIFY_PEER
> ssloptions=NO_SSLv2:NO_SSLv3:ALL:SINGLE_DH_USE:SINGLE_ECDH_USE:NO_TICKET

Process those options (instructions) from left-to-right in your head.
You should see that all things *enabled* at the end of it. That includes
SSLv2 and SSLv3 being enabled.

Hint: "ALL" force-enables everything the library is capable of.
Restrictions can only follow after it in the options list.

> sslcipher=AES256-SHA login=PASS name=exchangeServer standby=5
> 
> Squid as Client uses always 38 Cipher Suites, no matter what I define
> as ssloptions or sslcipher.
> 

cipher= is very rarely needed to be explicitly set. The library already
enables good ciphers, and options can enable others manually if needed.


Use of ALL in the options is often recommended by people without
understanding what it does. It enables *everything* the library is
capable of doing. Basically using it means the admin (or whoever wrote
the tutorial) thinks they know security better than the experts who
wrote the library. Then the admin/author goes and lists removal of the
(often few) things they know are bad (at that point in time) - often
missing out lots of custom hacks they dont know the library just enabled
as instructed, or crypto things which are broken but long forgotten.

The best thing to do is to start with neither cipher nor options
configured at all and test what the library tries to offer. Use that
test to add specific disable/enable options to the options= list. Repeat
as necessary until what the library does meets your need.

HTH
Amos


More information about the squid-users mailing list