Re: [squid-users] Require SSL version 3

From: Amos Jeffries <[email protected]>
Date: Wed, 16 Jan 2008 01:41:07 +1300

JSiergiej@pennsoftware.com wrote:
>
> Amos,
>
> I am not running the version= on any of the sites right now, I only
> included the version= in the provided code so you can see where I placed
> it and see if there was anything wrong with how I did it. So, answering
> your first question, the outside test is talking about all of the sites.
>
> In terms of further info for the version not working, when I place it in
> my code and launch squid and try to go to the https portion of the site,
> my browser (firefox) told me that the transmission was interrupted. In
> the squid terminal window, I get the following:
>
> clientNegotiateSSL: Error negotiating SSL connection on FD 22: error
> 1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1)
> clientNegotiateSSL: Error negotiating SSL connection on FD 22:
> error:1408F10B: SSL routines: SSL3_Get_Record: wrong version number (1/-1)
>
> I have not tried the option=NO_SSLv2,NO_SSLv1. That will be my next move.
>
> In terms of the upgrade to Squid 2.6STABLE17+ or 3.0STABLE1+, is it an
> easy upgrade or is there alot of configuration involved?

Relatively easy upgrade config-wise. I did not see anything in your
posted lines which was deprecated in 2.6 and killed in 3.0.

There is a short list if you have further config at
http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html#modifiedtags

Amos

>
> Thanks,
>
> Jack Siergiej
>
>
>
>
> *Amos Jeffries <squid3@treenet.co.nz>*
>
> 01/15/2008 02:43 AM
>
>
> To
> JSiergiej@pennsoftware.com
> cc
> squid-users@squid-cache.org
> Subject
> Re: [squid-users] Require SSL version 3
>
>
>
>
>
>
>
>
> JSiergiej@pennsoftware.com wrote:
> > Hello all,
> >
> > I have a client that is requiring the use of only SSL version 3 for
> their
> > websites. When a vulnerability scan is done by an outside firm against
> > squid, the report states that SSLV2 is allowed and we can't have that.
>
> Firstly, I see several HTTPS address/port open in the config below.
> Several do not have a version= limit set on them. Are you certain the
> outside test report is not talking about one of those?
>
> >
> > I went to the
> > http://www.squid-cache.org/Versions/v2/2.6/cfgman/https_port.html
> page and
> > tried appending the option "version=3" to the end of my https_port line
> > for one of the sites (see below), but after I do this, I cannot view the
> > https portion of the site. It tells me that the page was
> interrupted. If
> > I remove the version=3 line, I am fine.
> >
> > What do I need to do to make each of the sites below only accept SSLV3
> > connections? Any help would be appreciated.
>
> version not working is a bug. Any further info you can provide would be
> welcome in tracking it down
>
> Secondly, for your production use there are also appear to be the
> alternatives:
> https_port ... option=NO_SSLv2,NO_SSLv1
>
> >
> > # Run Squid in virtual host mode
> > http_port 80 vhost
> >
> > # Client1 reverse proxy config
> > https_port 172.16.0.107:443 protocol=https vhost
> > cert=/usr/local/squid/etc/devstore.pem
> > key=/usr/local/squid/etc/devstore.key version=3
> > cache_peer 192.168.0.7 parent 80 0 no-query originserver
> > name=store.client1.com
> > #acl client1 dstdomain store.client1.com
> > acl client1 dstdomain xxx.xxx.xxx.xxx store.client1.com
> > http_access allow client1
> > cache_peer_access store.client1.com allow client1
> >
> >
> > # Client2 reverse proxy config
> > https_port 172.16.0.111:443 protocol=https
> > cert=/usr/local/squid/etc/ctccert.pem
> key=/usr/local/squid/etc/ctccert.key
> > vhost
>
> no version= there...
>
> > cache_peer 192.168.0.11 parent 80 0 no-query originserver
> > name=store.client2.com
> > acl client2 dstdomain xxx.xxx.xxx.xxx store.client2.com
> > http_access allow client2
> > cache_peer_access store.client2.com allow client2
> >
> > # Client3 reverse proxy config
> > https_port 172.16.0.105:443 protocol=https
> > cert=/usr/local/squid/etc/devstore.pem
> > key=/usr/local/squid/etc/devstore.key vhost
>
> And another missing the version.
>
> > cache_peer 192.168.0.05 parent 80 0 no-query originserver
> > name=store.client3.com
> > acl client3 dstdomain store.client3.com
> > http_access allow client3
> > cache_peer_access store.client3.com allow client3
> >
> > # Client4 reverse proxy config
> > https_port 172.16.0.106:443 protocol=https
> > cert=/usr/local/squid/etc/cycert.pem key=/usr/local/squid/etc/cycert.key
> > vhost
>
> And another missing the version.
>
> > cache_peer 192.168.0.06 parent 80 0 no-query originserver
> > name=store.client4.com
> > acl client4 dstdomain store.client4.com
> > http_access allow client4
> > cache_peer_access store.client4.com allow client4
> >
> > # Client5 reverse proxy config
> > https_port 172.16.0.120:443 protocol=https
> > cert=/usr/local/squid/etc/opaccess.pem
> > key=/usr/local/squid/etc/opaccess.key vhost
>
> And another missing the version.
>
> > cache_peer 192.168.0.20 parent 443 0 no-query originserver ssl
> > name=store.client5.com
> > acl client5 dstdomain store.client5.com
> > http_access allow client5
> > cache_peer_access store.client5.com allow client5
> >
> >
> >
> > # --- Begin default config options --- #
> >
> > hierarchy_stoplist cgi-bin ?
> >
> > acl QUERY urlpath_regex cgi-bin \?
> > cache deny QUERY
> >
> > acl apache rep_header Server ^Apache
> > broken_vary_encoding allow apache
> >
> > access_log /usr/local/squid/var/logs/access.log squid
> >
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern . 0 20% 4320
> >
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> > acl TRACE method TRACE
> >
> > # Deny HTTP TRACE method
> > http_access deny TRACE
> > # Only allow cachemgr access from localhost
> > http_access allow manager localhost
> > http_access deny manager
> > # Deny requests to unknown ports
> > http_access deny !Safe_ports
> > # Deny CONNECT to other than SSL ports
> > http_access deny CONNECT !SSL_ports
> > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> >
> > # And finally deny all other access to this proxy
> > http_access deny all
> >
> > # and finally allow by default
> > http_reply_access allow all
> >
> > #Allow ICP queries from everyone
> > icp_access allow all
> >
> > # Leave coredumps in the first cache dir
> > coredump_dir /usr/local/squid/var/cache
> >
> > Thanks,
> >
> > Jack Siergiej
> >
>
>
> --
> Please use Squid 2.6STABLE17+ or 3.0STABLE1+
> There are serious security advisories out on all earlier releases.
>

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Tue Jan 15 2008 - 05:40:44 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:04 MST