[squid-users] Unable to Disable sslv3

Amos Jeffries squid3 at treenet.co.nz
Thu Sep 13 04:27:02 UTC 2018


On 13/09/18 12:54 PM, Alex Rousskov wrote:
> On 09/12/2018 03:47 PM, squid wrote:
> 
>> We are using squid as reverse proxy and we have disabled SSLv3 :
> 
>> https_port XXX.XXX.XXX.XXX:443 accel defaultsite=www.example.com
>> vhost cert=/etc/....cert.pem key=/etc/....privkey.pem
>> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE
>> cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem
> 
>> We have also tried the sslproxy_options as well.
> 
>> Using Nessus scanning tool, it reports that SSLv3 is enabled, but not
>> SSLv2.
> 
>> Version of Squid is  (3.1.23) which is stock RH6 which I know is old,
>> but for now we need to use it.
> 

I assume you mean RHEL6 rather than RH6 from the 1990's, if not, then my
sympathies.

OpenSSL options to disable SSLv3 were not added until Squid-3.2 when
TLS-only support was added.


FYI: the list of currently known security vulnerabilities for Squid-3.1
is so long now that I have given up on trying to list them all in our
wiki. IMHO, even with RHEL patching SSLv3 being enabled is the least of
your worries with that Squid. *PLEASE* upgrade Squid.

The RHEL maintainer is providing a special package for later versions of
Squid (IIRC a Squid-3.4 build) to help get RHEL6 people off it. Also,
Eliezer here is providing packages of current Squid releases for the
Fedora/RHEL/CentOS OS family.


You can remove the EC* ciphers in your config. The extra settings
required to enable use any Elliptic Curve support in the library was not
added until late in the Squid-3.5 series.

Amos


More information about the squid-users mailing list