On 13/09/18 12:54 PM, Alex Rousskov wrote: > On 09/12/2018 03:47 PM, squid wrote: > >> We are using squid as reverse proxy and we have disabled SSLv3 : > >> https_port XXX.XXX.XXX.XXX:443 accel defaultsite=www.example.com >> vhost cert=/etc/....cert.pem key=/etc/....privkey.pem >> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE >> cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem > >> We have also tried the sslproxy_options as well. > >> Using Nessus scanning tool, it reports that SSLv3 is enabled, but not >> SSLv2. > >> Version of Squid is (3.1.23) which is stock RH6 which I know is old, >> but for now we need to use it. > I assume you mean RHEL6 rather than RH6 from the 1990's, if not, then my sympathies. OpenSSL options to disable SSLv3 were not added until Squid-3.2 when TLS-only support was added. FYI: the list of currently known security vulnerabilities for Squid-3.1 is so long now that I have given up on trying to list them all in our wiki. IMHO, even with RHEL patching SSLv3 being enabled is the least of your worries with that Squid. *PLEASE* upgrade Squid. The RHEL maintainer is providing a special package for later versions of Squid (IIRC a Squid-3.4 build) to help get RHEL6 people off it. Also, Eliezer here is providing packages of current Squid releases for the Fedora/RHEL/CentOS OS family. You can remove the EC* ciphers in your config. The extra settings required to enable use any Elliptic Curve support in the library was not added until late in the Squid-3.5 series. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
