[squid-users] Unable to Disable sslv3
Alex Rousskov
rousskov at measurement-factory.com
Thu Sep 13 00:54:26 UTC 2018
On 09/12/2018 03:47 PM, squid at buglecreek.com wrote:
> We are using squid as reverse proxy and we have disabled SSLv3 :
> https_port XXX.XXX.XXX.XXX:443 accel defaultsite=www.example.com
> vhost cert=/etc/....cert.pem key=/etc/....privkey.pem
> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE
> cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem
> We have also tried the sslproxy_options as well.
> Using Nessus scanning tool, it reports that SSLv3 is enabled, but not
> SSLv2.
> Version of Squid is (3.1.23) which is stock RH6 which I know is old,
> but for now we need to use it.
> The only thing we have been able to do so far is add NO_TLSv1 to the
> https_port section. Then the scan comes back clean. Not sure what
> to look at next. Any suggestions?
I can nominate three suspects:
1. Your OpenSSL version does not support/define SSL_OP_NO_SSLv3.
2. Your scanning tool is confused/lying. SSLv3 is actually disabled.
3. Your Squid mishandles SSL_OP_NO_SSLv3 or your configuration.
To detect #1, you can grep source code of your OpenSSL version for the
said constant.
To detect #2, you can try establishing an SSLv3-only connection to your
Squid https_port using OpenSSL s_client. Sorry, I do not have an exact
s_client command handy.
I cannot give you specific instructions for #3 detection, especially for
such an old Squid version, but a capable developer can confirm that the
configured option is applied successfully using a debugger or debugging
patches. With access to the right setup, it should not take more than an
hour or two (more without Squid knowledge).
HTH,
Alex.
More information about the squid-users
mailing list