Disable SSLv3 Not working

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Disable SSLv3 Not working

squid-5
We are using squid as reverse proxy and we have disabled SSLv3 :

https_port XXX.XXX.XXX.XXX:443 accel defaultsite=www.example.com vhost cert=/etc/....cert.pem key=/etc/....privkey.pem options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem

Using Nessus scanning tool, it reports that SSLv3 is enabled, but not SSLv2.   Looking at the ssl handshake client hello and server hellos is does seem that the sslv3 is being used.  Is there something that we are missing?

Version of Squid  (3.1) is stock RH6 which I know is old, but for now we need to use.  We will be upgrading to RH7, but it may be a little while so I'd like to get this solved.

Secure Sockets Layer
    SSLv3 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 74
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 70
            Version: SSL 3.0 (0x0300)
            Random: 5aa83ae26555f6dcc7042c341d090c6715a243a7be05d69b...
            Session ID Length: 32
            Session ID: 44bb10e985c067cc987bf2e698d458dd37d2b3c469ce9fe7...
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            Compression Method: null (0)
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Disable SSLv3 Not working

Amos Jeffries
Administrator
On 31/03/18 11:41, squid wrote:
> We are using squid as reverse proxy and we have disabled SSLv3 :
>
> https_port ... options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem

NP: Squid-3.5 or later is required for EC cipher support.


>
> Using Nessus scanning tool, it reports that SSLv3 is enabled, but not SSLv2.   Looking at the ssl handshake client hello and server hellos is does seem that the sslv3 is being used.  Is there something that we are missing?
>
> Version of Squid  (3.1) is stock RH6 which I know is old, but for now we need to use.  We will be upgrading to RH7, but it may be a little while so I'd like to get this solved.
>
> Secure Sockets Layer
>     SSLv3 Record Layer: Handshake Protocol: Server Hello
>         Content Type: Handshake (22)
>         Version: SSL 3.0 (0x0300)
>         Length: 74
>         Handshake Protocol: Server Hello
>             Handshake Type: Server Hello (2)
>             Length: 70
>             Version: SSL 3.0 (0x0300)
>             Random: 5aa83ae26555f6dcc7042c341d090c6715a243a7be05d69b...
>             Session ID Length: 32
>             Session ID: 44bb10e985c067cc987bf2e698d458dd37d2b3c469ce9fe7...
>             Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
>             Compression Method: null (0)

Which of the TCP connections was that hello performed on?

You have apparently only disabled SSLv3 on the client->Squid connection.
No information is provided about the Squid->server settings
(sslproxy_options).


Also, these options are handled by OpenSSL. They only work if the
library Squid was built against supports them.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Disable SSLv3 Not working

squid-5
I missed that I needed that setting (sslproxy_options) in a reverse proxy mode of operation. We haven't had to use any pf the sslproxy_* options.  I'll test that and see if it takes care of the issue.  

Does this option need to be placed anywhere specifically in the config?  

Also, does this require and other sslproxy_* options.  Our goal is to just stop Nessus from flagging for sslv3.   Thanks

On Fri, Mar 30, 2018, at 8:29 PM, Amos Jeffries wrote:

> On 31/03/18 11:41, squid wrote:
> > We are using squid as reverse proxy and we have disabled SSLv3 :
> >
> > https_port ... options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem
>
> NP: Squid-3.5 or later is required for EC cipher support.
>
>
> >
> > Using Nessus scanning tool, it reports that SSLv3 is enabled, but not SSLv2.   Looking at the ssl handshake client hello and server hellos is does seem that the sslv3 is being used.  Is there something that we are missing?
> >
> > Version of Squid  (3.1) is stock RH6 which I know is old, but for now we need to use.  We will be upgrading to RH7, but it may be a little while so I'd like to get this solved.
> >
> > Secure Sockets Layer
> >     SSLv3 Record Layer: Handshake Protocol: Server Hello
> >         Content Type: Handshake (22)
> >         Version: SSL 3.0 (0x0300)
> >         Length: 74
> >         Handshake Protocol: Server Hello
> >             Handshake Type: Server Hello (2)
> >             Length: 70
> >             Version: SSL 3.0 (0x0300)
> >             Random: 5aa83ae26555f6dcc7042c341d090c6715a243a7be05d69b...
> >             Session ID Length: 32
> >             Session ID: 44bb10e985c067cc987bf2e698d458dd37d2b3c469ce9fe7...
> >             Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
> >             Compression Method: null (0)
>
> Which of the TCP connections was that hello performed on?
>
> You have apparently only disabled SSLv3 on the client->Squid connection.
> No information is provided about the Squid->server settings
> (sslproxy_options).
>
>
> Also, these options are handled by OpenSSL. They only work if the
> library Squid was built against supports them.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Disable SSLv3 Not working

Amos Jeffries
Administrator
On 03/04/18 03:48, squid wrote:
> I missed that I needed that setting (sslproxy_options) in a reverse proxy mode of operation. We haven't had to use any pf the sslproxy_* options.  I'll test that and see if it takes care of the issue.  
>

It may or may not, that depends on the answer to the question you did
not answer yet - about which connection the handshake came from:
  squid->client or server->squid.

> Does this option need to be placed anywhere specifically in the config?  

No specific position.

>
> Also, does this require and other sslproxy_* options.  Our goal is to just stop Nessus from flagging for sslv3.   Thanks
>

The sslproxy_* directives are independent in regards to ordering, but
some of them (ie options and ciphers) interact with what they
permit/forbid the library to do.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users