[squid-users] RC4-MD5 cipher is always enabled?
chiasa.men
chiasa.men at web.de
Wed Sep 6 15:33:57 UTC 2017
Am Dienstag, 5. September 2017, 11:57:06 CEST schrieb Amos Jeffries:
> On 05/09/17 20:55, chiasa.men wrote> Thanks, that was easy... but:
> > That does not work:
> >
> > https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem
> > key=/ example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5
> >
> > openssl s_client -connect localhost:3128
> > 140048907216536:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> > alert handshake failure:s23_clnt.c:769:
> >
> >
> > Allowing RC4 and MD5 works:
> >
> > https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem
> > key=/ example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:RC4:MD5
> >
> > openssl s_client -connect localhost:3128
> >
> > Cipher : ECDH-ECDSA-RC4-SHA
> >
> > But openssl works without allowing RC4 and MD5:
> >
> > openssl s_server -cert /example/cert.pem -key /example/key.pem -cipher
> > 'ECDHE- ECDSA-AES256-GCM-SHA384:!RC4:!MD5'
> >
> > openssl s_client -connect localhost:4433
> >
> > Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
> >
> > So I guess the certificate and the openssl part should work.
> > Maybe you could give another advice?
>
> "
> cipher=
> Colon separated list of supported ciphers.
> NOTE: some ciphers such as EDH ciphers depend on
> additional settings. If those settings are
> omitted the ciphers may be silently ignored
> by the OpenSSL library."
> "
>
> For the ECDHE-* ciphers to work the server end needs to be configured
> with curve parameters. That is done the tls-dh= option with a curve name
> and
>
> "
> tls-dh=[curve:]file
> File containing DH parameters for temporary/ephemeral DH key
> exchanges, optionally prefixed by a curve for ephemeral ECDH
> key exchanges.
> See OpenSSL documentation for details on how to create the
> DH parameter file. Supported curves for ECDH can be listed
> using the "openssl ecparam -list_curves" command.
>
> WARNING: EDH and EECDH ciphers will be silently disabled if
> this option is not set.
> "
>
> > btw, the used squid version:
> > Squid Cache: Version 3.5.12
> > Service Name: squid
> > Ubuntu linux
>
> Please upgrade. Somewhat urgently.
>
> * TLS/SSL has had a *lot* of progress in the past few years. There are
> many security related issues resolved in the latest releases which exist
> in the older ones.
>
> * ECDHE is a good example of the change. It is not supported *at all* by
> that old version of Squid.
>
> When using TLS/SSL support Squid-3.5.24 is currently the oldest
> acceptable Squid release as it contains extra mitigation for TLS DoS
> vulnerabilities. The current 3.5.27 would be best from the 3.5 series.
>
> If you are not already aware there is no official security
> support/tracking from Debian and Ubuntu for TLS/SSL vulnerabilities as
> their packages do not ship with OpenSSL support. So following their
> stable/security package version is of no benefit for TLS/SSL issues, you
> need to track upstream releases yourself when custom building software
> (that goes for anything, not just Squid).
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Thanks - rtfm often helps. Sorry for that!
Furthermore my certificates were not corresponding to the ecc so I had to
regenerate them via "openssl ecparam" (not openssl rsa). Kind of obvious but I
just forgot about them.
The version was simply compiled via apt source on Ubuntu. I'm using the
current version now (un/fortunately Ubuntu is not bleeding edge)
More information about the squid-users
mailing list