[squid-users] Squid 3.5.21 "hangs" when trying to connect using unsupported cipher (complete DoS)
Martin Tenev
martintinten at gmail.com
Mon Nov 21 17:17:55 UTC 2016
without restricting the ciphers seems to work fine, however some of the
ciphers are vulnerable to attacks...Furthermore I think if I try some weird
cipher which Squid is not supporting the same thing will happen...
On Mon, Nov 21, 2016 at 5:12 PM, Eliezer Croitoru <eliezer at ngtech.co.il>
wrote:
> But what happens when you are not restricting the cipher with all this mess
> in the options?
> Would then also the DOS from nmap result the same issue?
>
> Eliezer
>
> ----
> Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
> Behalf Of Martin Tenev
> Sent: Monday, November 21, 2016 19:01
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] Squid 3.5.21 "hangs" when trying to connect using
> unsupported cipher (complete DoS)
>
> Hello,
>
> I am having problems with squid & SSL. I have setup squid in reverse-proxy
> configuration and overall it works fine, however for security reasons I had
> to disable some of the ciphers. I have taken an example configuration from
> http://www.rawiriblundell.com/?p=1442 and my https_port line looks pretty
> much like this (this is the example from the website but the disabled
> ciphers are the same for me as well):
>
> https_port 443 accel defaultsite=someinternalhost vhost
> cert=/etc/squid/CertAuth/supersecret.crt
> key=/etc/squid/CertAuth/supersecret.key
> options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE
> cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-
> SHA256:DHE-RSA-AES25
> 6-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-
> SHA384:ECDHE-RSA-AES
> 128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-
> RSA-AES256-SHA256:D
> HE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:
> ECDHE-RSA-DES-CBC
> 3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-
> SHA256:AES256-SHA256
> :AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!
> aNULL:!eNULL:!EXPORT
> :!DES:!MD5:!PSK:!RC4 dhparams=/etc/squid/CertAuth/dhparams.pem
>
> During my build I have included the config options --enable-ssl and
> --with-openssl=/usr
>
> Using the proxy through a browser works fine, but if I try nmap --script
> ssl-enum-ciphers -p 443 <host> or openssl s_client -cipher 'RC4-SHA'
> -connect <host> these commands result in complete DoS for a few minutes. I
> figured out that only the unsupported or disabled ciphers cause this
> problem. Also when I do the openssl connection as shown above the proxy
> will
> be unresponsive as long as openssl is trying to connect using the disabled
> cipher. As soon as it finishes (eg times out unable to connect using RC4)
> the proxy starts serving requests again. I should mention that I am running
> squid inside a docker container if this matters at all.
>
> The errors in my logs are :
> "Error negotiating SSL connection on FD 22: error 1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO: no shared cipher (1/-1)
>
> "Error negotiating SSL connection on FD 25: error 1408A10B:SSL
> routines:SSL3_GET_CLIENT_HELLO: wrong version number (1/-1)
>
> P.S I also tried squid 4, and got exactly the same problem.
>
> Any help will be much appreciated
>
> Thanks!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161121/3a36f4d6/attachment.html>
More information about the squid-users
mailing list