Is there a way to verify that the SSL library doesn't support SSLv3?
Renato Jop
On Mon, Jun 27, 2016 at 8:43 AM, Yuri <yvoinov@xxxxxxxxx> wrote:
Looks like your SSL library does not contain SSLv3 protocol support already, but site announce it.
27.06.2016 20:42, Renato Jop пишет:
I removed the NO_SSLv2, NO_SSLv3 however, right before the SSL3_GET_RECORD:wrong version number the SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown.
Renato Jop
On Mon, Jun 27, 2016 at 8:29 AM, Yuri <yvoinov@xxxxxxxxx> wrote:
Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not supported everywhere, RC4/3DES is SSLv3 ciphers, so it can be confuse software. I.e., you use custom ciphers/protocols combinations, which can lead issue.
27.06.2016 20:25, Renato Jop пишет:
Thank you both for your valuable help.I've configured the tls-dh param with a strong Diffie-Hellman group (2048 bits) and configured the cipher as Yuri specified and I was able to get pass the unknown cipher, however now I get a "SSL routines:SSL3_GET_RECORD:wrong version number". Here's the configuration I changed:
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE tls-dh=/usr/local/etc/squid/dhparams.pem
Renato Jop
On Sat, Jun 25, 2016 at 11:34 AM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
25.06.2016 23:09, Amos Jeffries пишет:
> On 26/06/2016 4:32 a.m., Yuri Voinov wrote:
>>
>> Amos, you are a wrong.
>>
>> No Squid-4. It's unstable and not ready for production. Whenever it's
>> features.
>
> So some beta software has bugs therefore nobody should ever use it for
> anything. I find that to be a strange and sad view of the world.
>
> Care to guess why I listed it as the last option amongst several?
> Or why 4.0.11 exists as a beta still?
> It *is* an option for the mentioned problem(s) though whatever its
utility.
Agreed.
>
>
>
>>
>> Some time ago I have the same issue and know what happens exactly.
>>
>> Skype initial connection site uses RC4 cipher. Which is disabled in most
>> squid's configuration.
>
> Your "know what happens exactly" differs from at least two other peoples
> debugging experiences with Skype.
>
> RC4 is on the hitlist for most of the big vendors for the past year or
> so. IIRC there were several Windows Updates to remove it and other
> broken bits from a lot of things over the past year.
> If Skype is still using RC4 it might be part of this problem.
I'm sure this is problem and this problem exists. MS do nothing to make
they sites/services more secure. BTW, MS Updates uses RC4 ciphers itself
this time. With strong siphers there is no way to setup WU via Squid.
I've spent much time to identify this problem in my setup and find
working workaround.
Another part of problem is: MS often uses it's own self-signed roots,
which is exists in Windows, but nowhere else. And which has not
cross-signed by well-known root CA's. They think it make MS services
more secure. They wrong. But we can't do anything with it. So, this is
forced us to add self-signed MS roots to our Squid's CA bundles to
bump/splice.
>
>
>>
>> To make it works (as by as most M$ update sites) it's require simple use
>> this cipher's suite:
>>
>> HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>>
>> That works for me in 5 SSL bumped setups. There is no matter which squid
>> version installed.
>
> Thank you. Thats another option then. I'd rate that below trying the EC
> ciphers, and above library updates.
You are welcome.
Just for information: MS has own IT infrastructure, with some strange
configured and non well-managed elements. I can't guarantee this
workaround will work everywhere or for every MS service.
When I made my research, I've seen some strange security TLS
combinations on MS sites/services. I.e., for example, RC4+ECDSA+TLSv1.2.
Or, for example, RC4+MD5+TLSv1. And some similar. Very idiotic and
potentially dangerous combinations. And - they support ignores all
requests. As usual.
To my regret, I can not order all of its users to abandon the use of
Windows. So far, in my infrastructure have machines with Windows XP.
With this nothing can be done, it is necessary only to weaken the
security - for the sake of compatibility.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXbsC5AAoJENNXIZxhPexGiFoH/jrtimBNppF1uHpVTNwOO10z
yF2APMA56S8woNZzhUNjT8+oJFPrthnMoQFrqgicjS77SBAFp9KcOV+SxOKl9+sW
OdAHDPuCD7dGnKzAdFDR1YR7Vp5IpElP1rFO5rqKXeBc3iKjq65BfF+T6atHy6cS
0VAaluvqvHQps2wVKoYxGURDf3Y2K0lJn+qF+s2CaBwEufhzgKSvG0aUIDqTfHfK
3EMQTpPtlTqm+pcexR+oZM1WE1hlES1khOXs51fgo6puPryqWJiHGvO4EBEfWoXF
Skval2COzcdzMvC5jjfGbMEPNGNJrYUeq/KNgppRvE2wQJ+gCLYG317decKHty0=
=8BTp
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
