JSiergiej@xxxxxxxxxxxxxxxx wrote:
Amos,
When I added the option=NO_SSLv2,NO_SSLv3 lines and tried to start squid,
I got a fatal error. It said something about the syntax being wrong on
the line. I took the lines out and tried to start squid and my swap file
got corrupted. I had to rename the swap file and let squid create a new
one. Then it started. Phew!!
Any reason why it wouldn't let me put in the option line? I stuck right
at the end of the https_port line right after the key= definition.
Oh no idea myself, I'm still trying to get a hang of the cert formats.
File a bug for this and the version issue. Henrik needs to track it down
for you as he is the guru for both 2.6 and SSL.
Amos
Thanks,
Jack Siergiej
Amos Jeffries <squid3@xxxxxxxxxxxxx>
01/15/2008 07:41 AM
To
JSiergiej@xxxxxxxxxxxxxxxx
cc
squid-users@xxxxxxxxxxxxxxx
Subject
Re: Require SSL version 3
JSiergiej@xxxxxxxxxxxxxxxx wrote:
Amos,
I am not running the version= on any of the sites right now, I only
included the version= in the provided code so you can see where I placed
it and see if there was anything wrong with how I did it. So, answering
your first question, the outside test is talking about all of the sites.
In terms of further info for the version not working, when I place it in
my code and launch squid and try to go to the https portion of the site,
my browser (firefox) told me that the transmission was interrupted. In
the squid terminal window, I get the following:
clientNegotiateSSL: Error negotiating SSL connection on FD 22: error
1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1)
clientNegotiateSSL: Error negotiating SSL connection on FD 22:
error:1408F10B: SSL routines: SSL3_Get_Record: wrong version number
(1/-1)
I have not tried the option=NO_SSLv2,NO_SSLv1. That will be my next
move.
In terms of the upgrade to Squid 2.6STABLE17+ or 3.0STABLE1+, is it an
easy upgrade or is there alot of configuration involved?
Relatively easy upgrade config-wise. I did not see anything in your
posted lines which was deprecated in 2.6 and killed in 3.0.
There is a short list if you have further config at
http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html#modifiedtags
Amos
Thanks,
Jack Siergiej
*Amos Jeffries <squid3@xxxxxxxxxxxxx>*
01/15/2008 02:43 AM
To
JSiergiej@xxxxxxxxxxxxxxxx
cc
squid-users@xxxxxxxxxxxxxxx
Subject
Re: Require SSL version 3
JSiergiej@xxxxxxxxxxxxxxxx wrote:
> Hello all,
>
> I have a client that is requiring the use of only SSL version 3 for
their
> websites. When a vulnerability scan is done by an outside firm
against
> squid, the report states that SSLV2 is allowed and we can't have
that.
Firstly, I see several HTTPS address/port open in the config below.
Several do not have a version= limit set on them. Are you certain the
outside test report is not talking about one of those?
>
> I went to the
> http://www.squid-cache.org/Versions/v2/2.6/cfgman/https_port.html
page and
> tried appending the option "version=3" to the end of my https_port
line
> for one of the sites (see below), but after I do this, I cannot view
the
> https portion of the site. It tells me that the page was
interrupted. If
> I remove the version=3 line, I am fine.
>
> What do I need to do to make each of the sites below only accept
SSLV3
> connections? Any help would be appreciated.
version not working is a bug. Any further info you can provide would be
welcome in tracking it down
Secondly, for your production use there are also appear to be the
alternatives:
https_port ... option=NO_SSLv2,NO_SSLv1
>
> # Run Squid in virtual host mode
> http_port 80 vhost
>
> # Client1 reverse proxy config
> https_port 172.16.0.107:443 protocol=https vhost
> cert=/usr/local/squid/etc/devstore.pem
> key=/usr/local/squid/etc/devstore.key version=3
> cache_peer 192.168.0.7 parent 80 0 no-query originserver
> name=store.client1.com
> #acl client1 dstdomain store.client1.com
> acl client1 dstdomain xxx.xxx.xxx.xxx store.client1.com
> http_access allow client1
> cache_peer_access store.client1.com allow client1
>
>
> # Client2 reverse proxy config
> https_port 172.16.0.111:443 protocol=https
> cert=/usr/local/squid/etc/ctccert.pem
key=/usr/local/squid/etc/ctccert.key
> vhost
no version= there...
> cache_peer 192.168.0.11 parent 80 0 no-query originserver
> name=store.client2.com
> acl client2 dstdomain xxx.xxx.xxx.xxx store.client2.com
> http_access allow client2
> cache_peer_access store.client2.com allow client2
>
> # Client3 reverse proxy config
> https_port 172.16.0.105:443 protocol=https
> cert=/usr/local/squid/etc/devstore.pem
> key=/usr/local/squid/etc/devstore.key vhost
And another missing the version.
> cache_peer 192.168.0.05 parent 80 0 no-query originserver
> name=store.client3.com
> acl client3 dstdomain store.client3.com
> http_access allow client3
> cache_peer_access store.client3.com allow client3
>
> # Client4 reverse proxy config
> https_port 172.16.0.106:443 protocol=https
> cert=/usr/local/squid/etc/cycert.pem
key=/usr/local/squid/etc/cycert.key
> vhost
And another missing the version.
> cache_peer 192.168.0.06 parent 80 0 no-query originserver
> name=store.client4.com
> acl client4 dstdomain store.client4.com
> http_access allow client4
> cache_peer_access store.client4.com allow client4
>
> # Client5 reverse proxy config
> https_port 172.16.0.120:443 protocol=https
> cert=/usr/local/squid/etc/opaccess.pem
> key=/usr/local/squid/etc/opaccess.key vhost
And another missing the version.
> cache_peer 192.168.0.20 parent 443 0 no-query originserver ssl
> name=store.client5.com
> acl client5 dstdomain store.client5.com
> http_access allow client5
> cache_peer_access store.client5.com allow client5
>
>
>
> # --- Begin default config options --- #
>
> hierarchy_stoplist cgi-bin ?
>
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
>
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>
> access_log /usr/local/squid/var/logs/access.log squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl TRACE method TRACE
>
> # Deny HTTP TRACE method
> http_access deny TRACE
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # and finally allow by default
> http_reply_access allow all
>
> #Allow ICP queries from everyone
> icp_access allow all
>
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/squid/var/cache
>
> Thanks,
>
> Jack Siergiej
>
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.