does that need to be https_port ? this is what I have used https_port 2.7.3.1:443 accel cert=/etc/httpd/conf.d/a,b,c.crt key=/etc/httpd/conf.d/a.b.c.key defaultsite=a.b.c options=NO_SSLv2,NO_SSLv3 The only thing I haven't got working is PFS. I test with https://www.ssllabs.com/ Alex On 22 November 2014 at 03:07, Sebastian Fohler <info@xxxxxxxxxxxxx> wrote: > Thank you Amos, > > I've implemented http_port 80 ssl-bump options=NO_SSLv3:NO_SSLv2 > Yet still the proxy accepts SSLv3 connections in the sniffing protocol. > > Something is still wrong. > > Best regards > Sebastian > > > On 21.11.2014 16:29, Amos Jeffries wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 22/11/2014 3:57 a.m., Sebastian Fohler wrote: >>> >>> I've disabled SSLv3 with this option set in my squid.conf file: >>> >>> sslproxy_options NO_SSLv3 NO_SSLv2 >>> >>> But despite that fact, the squid proxy accepted the configuration >>> without any problems, I still get SSLv3 connections working. I've >>> sniffed the traffice on that interface on the proxy port and if I >>> do a SSLv3 connection from the browser and do a poodle check, the >>> sniffing protocol shows an established SSLv3 connection. >> >> >> The connection between browser and Squid is controlled by the *_port >> settings. >> >> sslproxy_* directives are purely for DIRECT or ORIGINAL_DST server >> connections. >> >>> >>> Can someone tell me if I missed something here? >> >> >> The sslproxy_options setting is an OpenSSL format string. Which is a >> list of comma (',') or colon (':') separated OpenSSL option names. >> >> >> What you need to configure is something like these: >> >> # to prevent SSL on inbound traffic >> https_port ... options=NO_SSLv3:NO_SSLv2 >> http_port ... ssl-bump options=NO_SSLv3:NO_SSLv2 >> >> # to prevent SSL on direct server traffic >> sslproxy_options NO_SSLv3:NO_SSLv2 >> >> # to prevent SSL on relayed peer connections >> cache_peer ... ssloptions=NO_SSLv3:NO_SSLv2 >> >> >>> Is there some option which could override the sslproxy_options >>> setting? >> >> >> If anything the OpenSSL library configuration may have such options. >> But AFAIK that is for configuring the defaults and squid.conf settings >> are overriding them. >> >> >>> How can I check if the sslproxy_options are really being used? >> >> >> Good question. I'm not aware of anything in particular. If there is an >> SSL/TLS testing website connecting to it through Squid should tell you. >> >> Amos >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.22 (MingW32) >> >> iQEcBAEBAgAGBQJUb1pVAAoJELJo5wb/XPRjTPAIAJiboRyQ7kwCTW9bByF8yT99 >> oD/u8W23DQ5p6sl1bfvKGeZBwUIkn5qX6pzF8RDZIWFrz/Fu1N0b7KMpdqQYqsFC >> W/dfyXywucWSmnTj32e47Wa9q1Y4u/r1oa6tDUBCsUM9Dh4iVS2UI6akyy1HkuEk >> Zpxl7iF9UcPyRBZ7cvTl7iZSFHRgPEokdaXNo+qKLDQUpNg5XlK82wf4JY+EUyt1 >> AvBz32cCIVz9ErQ5RckCTCV3XTLOUFoAXrbOiApGe07Gum746yAnRzuB07LYCwwY >> 16XL5N+mjw5Gj+70pMGVfaieoQHK7W9L7qJPDLy+JqL7Z2r81GjD4tb6O0txAgo= >> =NbHW >> -----END PGP SIGNATURE----- >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
