On 24/04/2015 7:11 a.m., dweimer wrote: > On 04/23/2015 9:24 am, dweimer wrote: >> I upgraded our Reverse proxy from 3.4.12 to 3.5.3 via the FreeBSD >> ports last night. It has broken our Outlook RPC over HTTPS. OWA and >> Phones are still connecting with Active Sync, its just the RPC for >> Outlook anywhere that is broken. >> >> Did anyone else have any issues when upgrading from 3.4 branch to 3.5 >> branch with Outlook RPC? > > In case anyone else is having an issue, I found the solution. Which also > solved a long standing issue with larger file uploads through > OWA/ActiveSync/RPC, that we were having. I had to force the cache peer > to use SSLv3 instead of TLSv1.0 by adding sslversion=3 to the cache peer > line. > > cache_peer 1.1.1.1 parent 443 0 ssl no-query proxy-only no-digest > originserver name=exchange2010_parent sslflags=DONT_VERIFY_PEER > login=PASSTHRU front-end-https=on connection-auth=on sslversion=3 > > The HTTPS port line is still enforcing TLSv1.0 or newer, with restricted > ciphers. > > https_port 1.1.1.2:443 accel cert=... key=... > options=NO_SSLv2:NO_SSLv3:CIPHER_SERVER_PREFERENCE > cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 > > Ouch. Good to know thank you. FYI: That workaround is one to keep an eye on. You may find the workaround needs undoing at some point soonish. MS are officially in the process of releasing updates that remove and disable SSLv3 support from their software. It began back in Oct/Nov 2014 and seems to be moving across the product range in a staged rollout with each of the "Patch Tueday" so far (and probaly some future). Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
