On 09/12/2018 03:47 PM, squid@xxxxxxxxxxxxxx wrote: > We are using squid as reverse proxy and we have disabled SSLv3 : > https_port XXX.XXX.XXX.XXX:443 accel defaultsite=www.example.com > vhost cert=/etc/....cert.pem key=/etc/....privkey.pem > options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE > cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem > We have also tried the sslproxy_options as well. > Using Nessus scanning tool, it reports that SSLv3 is enabled, but not > SSLv2. > Version of Squid is (3.1.23) which is stock RH6 which I know is old, > but for now we need to use it. > The only thing we have been able to do so far is add NO_TLSv1 to the > https_port section. Then the scan comes back clean. Not sure what > to look at next. Any suggestions? I can nominate three suspects: 1. Your OpenSSL version does not support/define SSL_OP_NO_SSLv3. 2. Your scanning tool is confused/lying. SSLv3 is actually disabled. 3. Your Squid mishandles SSL_OP_NO_SSLv3 or your configuration. To detect #1, you can grep source code of your OpenSSL version for the said constant. To detect #2, you can try establishing an SSLv3-only connection to your Squid https_port using OpenSSL s_client. Sorry, I do not have an exact s_client command handy. I cannot give you specific instructions for #3 detection, especially for such an old Squid version, but a capable developer can confirm that the configured option is applied successfully using a debugger or debugging patches. With access to the right setup, it should not take more than an hour or two (more without Squid knowledge). HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
