What version of Ubuntu are you using? I am releasing deb packages for the LTS versions at: http://ngtech.co.il/repo/ubuntu/ I have yet to update the repo db but the latest version of 3.5 is there for 14.04 and 16.04.(with ssl-bump) Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of chiasa.men Sent: Wednesday, September 6, 2017 18:34 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: RC4-MD5 cipher is always enabled? Am Dienstag, 5. September 2017, 11:57:06 CEST schrieb Amos Jeffries: > On 05/09/17 20:55, chiasa.men wrote> Thanks, that was easy... but: > > That does not work: > > > > https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem > > key=/ example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:!RC4:!MD5 > > > > openssl s_client -connect localhost:3128 > > 140048907216536:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > > alert handshake failure:s23_clnt.c:769: > > > > > > Allowing RC4 and MD5 works: > > > > https_port 3128 accel defaultsite=www.example.com cert=/example/cert.pem > > key=/ example/key.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:RC4:MD5 > > > > openssl s_client -connect localhost:3128 > > > > Cipher : ECDH-ECDSA-RC4-SHA > > > > But openssl works without allowing RC4 and MD5: > > > > openssl s_server -cert /example/cert.pem -key /example/key.pem -cipher > > 'ECDHE- ECDSA-AES256-GCM-SHA384:!RC4:!MD5' > > > > openssl s_client -connect localhost:4433 > > > > Cipher : ECDHE-ECDSA-AES256-GCM-SHA384 > > > > So I guess the certificate and the openssl part should work. > > Maybe you could give another advice? > > " > cipher= > Colon separated list of supported ciphers. > NOTE: some ciphers such as EDH ciphers depend on > additional settings. If those settings are > omitted the ciphers may be silently ignored > by the OpenSSL library." > " > > For the ECDHE-* ciphers to work the server end needs to be configured > with curve parameters. That is done the tls-dh= option with a curve name > and > > " > tls-dh=[curve:]file > File containing DH parameters for temporary/ephemeral DH key > exchanges, optionally prefixed by a curve for ephemeral ECDH > key exchanges. > See OpenSSL documentation for details on how to create the > DH parameter file. Supported curves for ECDH can be listed > using the "openssl ecparam -list_curves" command. > > WARNING: EDH and EECDH ciphers will be silently disabled if > this option is not set. > " > > > btw, the used squid version: > > Squid Cache: Version 3.5.12 > > Service Name: squid > > Ubuntu linux > > Please upgrade. Somewhat urgently. > > * TLS/SSL has had a *lot* of progress in the past few years. There are > many security related issues resolved in the latest releases which exist > in the older ones. > > * ECDHE is a good example of the change. It is not supported *at all* by > that old version of Squid. > > When using TLS/SSL support Squid-3.5.24 is currently the oldest > acceptable Squid release as it contains extra mitigation for TLS DoS > vulnerabilities. The current 3.5.27 would be best from the 3.5 series. > > If you are not already aware there is no official security > support/tracking from Debian and Ubuntu for TLS/SSL vulnerabilities as > their packages do not ship with OpenSSL support. So following their > stable/security package version is of no benefit for TLS/SSL issues, you > need to track upstream releases yourself when custom building software > (that goes for anything, not just Squid). > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users Thanks - rtfm often helps. Sorry for that! Furthermore my certificates were not corresponding to the ecc so I had to regenerate them via "openssl ecparam" (not openssl rsa). Kind of obvious but I just forgot about them. The version was simply compiled via apt source on Ubuntu. I'm using the current version now (un/fortunately Ubuntu is not bleeding edge) _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
