Thank you Amos,
I've implemented http_port 80 ssl-bump options=NO_SSLv3:NO_SSLv2
Yet still the proxy accepts SSLv3 connections in the sniffing protocol.
Something is still wrong.
Best regards
Sebastian
On 21.11.2014 16:29, Amos Jeffries wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 22/11/2014 3:57 a.m., Sebastian Fohler wrote:
I've disabled SSLv3 with this option set in my squid.conf file:
sslproxy_options NO_SSLv3 NO_SSLv2
But despite that fact, the squid proxy accepted the configuration
without any problems, I still get SSLv3 connections working. I've
sniffed the traffice on that interface on the proxy port and if I
do a SSLv3 connection from the browser and do a poodle check, the
sniffing protocol shows an established SSLv3 connection.
The connection between browser and Squid is controlled by the *_port
settings.
sslproxy_* directives are purely for DIRECT or ORIGINAL_DST server
connections.
Can someone tell me if I missed something here?
The sslproxy_options setting is an OpenSSL format string. Which is a
list of comma (',') or colon (':') separated OpenSSL option names.
What you need to configure is something like these:
# to prevent SSL on inbound traffic
https_port ... options=NO_SSLv3:NO_SSLv2
http_port ... ssl-bump options=NO_SSLv3:NO_SSLv2
# to prevent SSL on direct server traffic
sslproxy_options NO_SSLv3:NO_SSLv2
# to prevent SSL on relayed peer connections
cache_peer ... ssloptions=NO_SSLv3:NO_SSLv2
Is there some option which could override the sslproxy_options
setting?
If anything the OpenSSL library configuration may have such options.
But AFAIK that is for configuring the defaults and squid.conf settings
are overriding them.
How can I check if the sslproxy_options are really being used?
Good question. I'm not aware of anything in particular. If there is an
SSL/TLS testing website connecting to it through Squid should tell you.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUb1pVAAoJELJo5wb/XPRjTPAIAJiboRyQ7kwCTW9bByF8yT99
oD/u8W23DQ5p6sl1bfvKGeZBwUIkn5qX6pzF8RDZIWFrz/Fu1N0b7KMpdqQYqsFC
W/dfyXywucWSmnTj32e47Wa9q1Y4u/r1oa6tDUBCsUM9Dh4iVS2UI6akyy1HkuEk
Zpxl7iF9UcPyRBZ7cvTl7iZSFHRgPEokdaXNo+qKLDQUpNg5XlK82wf4JY+EUyt1
AvBz32cCIVz9ErQ5RckCTCV3XTLOUFoAXrbOiApGe07Gum746yAnRzuB07LYCwwY
16XL5N+mjw5Gj+70pMGVfaieoQHK7W9L7qJPDLy+JqL7Z2r81GjD4tb6O0txAgo=
=NbHW
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
