[squid-users] Disable SSLv3 Not working

squid at buglecreek.com squid at buglecreek.com
Fri Mar 30 22:41:32 UTC 2018


We are using squid as reverse proxy and we have disabled SSLv3 :

https_port XXX.XXX.XXX.XXX:443 accel defaultsite=www.example.com vhost cert=/etc/....cert.pem key=/etc/....privkey.pem options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem

Using Nessus scanning tool, it reports that SSLv3 is enabled, but not SSLv2.   Looking at the ssl handshake client hello and server hellos is does seem that the sslv3 is being used.  Is there something that we are missing?

Version of Squid  (3.1) is stock RH6 which I know is old, but for now we need to use.  We will be upgrading to RH7, but it may be a little while so I'd like to get this solved. 

Secure Sockets Layer
    SSLv3 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 74
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 70
            Version: SSL 3.0 (0x0300)
            Random: 5aa83ae26555f6dcc7042c341d090c6715a243a7be05d69b...
            Session ID Length: 32
            Session ID: 44bb10e985c067cc987bf2e698d458dd37d2b3c469ce9fe7...
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            Compression Method: null (0)


More information about the squid-users mailing list