Re: [squid-users] Require SSL version 3

From: <JSiergiej@dont-contact.us>
Date: Tue, 15 Jan 2008 07:32:38 -0500

Amos,

I am not running the version= on any of the sites right now, I only
included the version= in the provided code so you can see where I placed
it and see if there was anything wrong with how I did it. So, answering
your first question, the outside test is talking about all of the sites.

In terms of further info for the version not working, when I place it in
my code and launch squid and try to go to the https portion of the site,
my browser (firefox) told me that the transmission was interrupted. In
the squid terminal window, I get the following:

clientNegotiateSSL: Error negotiating SSL connection on FD 22: error
1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1)
clientNegotiateSSL: Error negotiating SSL connection on FD 22:
error:1408F10B: SSL routines: SSL3_Get_Record: wrong version number (1/-1)

I have not tried the option=NO_SSLv2,NO_SSLv1. That will be my next move.

In terms of the upgrade to Squid 2.6STABLE17+ or 3.0STABLE1+, is it an
easy upgrade or is there alot of configuration involved?

Thanks,

Jack Siergiej

Amos Jeffries <squid3@treenet.co.nz>
01/15/2008 02:43 AM

To
JSiergiej@pennsoftware.com
cc
squid-users@squid-cache.org
Subject
Re: [squid-users] Require SSL version 3

JSiergiej@pennsoftware.com wrote:
> Hello all,
>
> I have a client that is requiring the use of only SSL version 3 for
their
> websites. When a vulnerability scan is done by an outside firm against

> squid, the report states that SSLV2 is allowed and we can't have that.

Firstly, I see several HTTPS address/port open in the config below.
Several do not have a version= limit set on them. Are you certain the
outside test report is not talking about one of those?

>
> I went to the
> http://www.squid-cache.org/Versions/v2/2.6/cfgman/https_port.html page
and
> tried appending the option "version=3" to the end of my https_port line
> for one of the sites (see below), but after I do this, I cannot view the

> https portion of the site. It tells me that the page was interrupted.
If
> I remove the version=3 line, I am fine.
>
> What do I need to do to make each of the sites below only accept SSLV3
> connections? Any help would be appreciated.

version not working is a bug. Any further info you can provide would be
welcome in tracking it down

Secondly, for your production use there are also appear to be the
alternatives:
   https_port ... option=NO_SSLv2,NO_SSLv1

>
> # Run Squid in virtual host mode
> http_port 80 vhost
>
> # Client1 reverse proxy config
> https_port 172.16.0.107:443 protocol=https vhost
> cert=/usr/local/squid/etc/devstore.pem
> key=/usr/local/squid/etc/devstore.key version=3
> cache_peer 192.168.0.7 parent 80 0 no-query originserver
> name=store.client1.com
> #acl client1 dstdomain store.client1.com
> acl client1 dstdomain xxx.xxx.xxx.xxx store.client1.com
> http_access allow client1
> cache_peer_access store.client1.com allow client1
>
>
> # Client2 reverse proxy config
> https_port 172.16.0.111:443 protocol=https
> cert=/usr/local/squid/etc/ctccert.pem
key=/usr/local/squid/etc/ctccert.key
> vhost

no version= there...

> cache_peer 192.168.0.11 parent 80 0 no-query originserver
> name=store.client2.com
> acl client2 dstdomain xxx.xxx.xxx.xxx store.client2.com
> http_access allow client2
> cache_peer_access store.client2.com allow client2
>
> # Client3 reverse proxy config
> https_port 172.16.0.105:443 protocol=https
> cert=/usr/local/squid/etc/devstore.pem
> key=/usr/local/squid/etc/devstore.key vhost

And another missing the version.

> cache_peer 192.168.0.05 parent 80 0 no-query originserver
> name=store.client3.com
> acl client3 dstdomain store.client3.com
> http_access allow client3
> cache_peer_access store.client3.com allow client3
>
> # Client4 reverse proxy config
> https_port 172.16.0.106:443 protocol=https
> cert=/usr/local/squid/etc/cycert.pem key=/usr/local/squid/etc/cycert.key

> vhost

And another missing the version.

> cache_peer 192.168.0.06 parent 80 0 no-query originserver
> name=store.client4.com
> acl client4 dstdomain store.client4.com
> http_access allow client4
> cache_peer_access store.client4.com allow client4
>
> # Client5 reverse proxy config
> https_port 172.16.0.120:443 protocol=https
> cert=/usr/local/squid/etc/opaccess.pem
> key=/usr/local/squid/etc/opaccess.key vhost

And another missing the version.

> cache_peer 192.168.0.20 parent 443 0 no-query originserver ssl
> name=store.client5.com
> acl client5 dstdomain store.client5.com
> http_access allow client5
> cache_peer_access store.client5.com allow client5
>
>
>
> # --- Begin default config options --- #
>
> hierarchy_stoplist cgi-bin ?
>
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
>
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>
> access_log /usr/local/squid/var/logs/access.log squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl TRACE method TRACE
>
> # Deny HTTP TRACE method
> http_access deny TRACE
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # and finally allow by default
> http_reply_access allow all
>
> #Allow ICP queries from everyone
> icp_access allow all
>
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/squid/var/cache
>
> Thanks,
>
> Jack Siergiej
>

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Tue Jan 15 2008 - 05:35:44 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:04 MST