Search squid archive

Re: Disable SSLv3 Not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 31/03/18 11:41, squid wrote:
> We are using squid as reverse proxy and we have disabled SSLv3 :
> 
> https_port ... options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem

NP: Squid-3.5 or later is required for EC cipher support.


> 
> Using Nessus scanning tool, it reports that SSLv3 is enabled, but not SSLv2.   Looking at the ssl handshake client hello and server hellos is does seem that the sslv3 is being used.  Is there something that we are missing?
> 
> Version of Squid  (3.1) is stock RH6 which I know is old, but for now we need to use.  We will be upgrading to RH7, but it may be a little while so I'd like to get this solved. 
> 
> Secure Sockets Layer
>     SSLv3 Record Layer: Handshake Protocol: Server Hello
>         Content Type: Handshake (22)
>         Version: SSL 3.0 (0x0300)
>         Length: 74
>         Handshake Protocol: Server Hello
>             Handshake Type: Server Hello (2)
>             Length: 70
>             Version: SSL 3.0 (0x0300)
>             Random: 5aa83ae26555f6dcc7042c341d090c6715a243a7be05d69b...
>             Session ID Length: 32
>             Session ID: 44bb10e985c067cc987bf2e698d458dd37d2b3c469ce9fe7...
>             Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
>             Compression Method: null (0)

Which of the TCP connections was that hello performed on?

You have apparently only disabled SSLv3 on the client->Squid connection.
No information is provided about the Squid->server settings
(sslproxy_options).


Also, these options are handled by OpenSSL. They only work if the
library Squid was built against supports them.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux