Re: [squid-users] Require SSL version 3

From: Amos Jeffries <[email protected]>
Date: Wed, 16 Jan 2008 14:24:34 +1300

JSiergiej@pennsoftware.com wrote:
> Amos,
>
> When I added the option=NO_SSLv2,NO_SSLv3 lines and tried to start squid,
> I got a fatal error. It said something about the syntax being wrong on
> the line. I took the lines out and tried to start squid and my swap file
> got corrupted. I had to rename the swap file and let squid create a new
> one. Then it started. Phew!!
>
> Any reason why it wouldn't let me put in the option line? I stuck right
> at the end of the https_port line right after the key= definition.

Oh no idea myself, I'm still trying to get a hang of the cert formats.
File a bug for this and the version issue. Henrik needs to track it down
for you as he is the guru for both 2.6 and SSL.

Amos

> Thanks,
>
> Jack Siergiej
>
>
>
>
> Amos Jeffries <squid3@treenet.co.nz>
> 01/15/2008 07:41 AM
>
> To
> JSiergiej@pennsoftware.com
> cc
> squid-users@squid-cache.org
> Subject
> Re: [squid-users] Require SSL version 3
>
>
>
>
>
>
> JSiergiej@pennsoftware.com wrote:
>> Amos,
>>
>> I am not running the version= on any of the sites right now, I only
>> included the version= in the provided code so you can see where I placed
>
>> it and see if there was anything wrong with how I did it. So, answering
>
>> your first question, the outside test is talking about all of the sites.
>>
>> In terms of further info for the version not working, when I place it in
>
>> my code and launch squid and try to go to the https portion of the site,
>
>> my browser (firefox) told me that the transmission was interrupted. In
>> the squid terminal window, I get the following:
>>
>> clientNegotiateSSL: Error negotiating SSL connection on FD 22: error
>> 1408A09F: SSL routines: SSL3_Get_Client_Hello: length mismatch (1/-1)
>> clientNegotiateSSL: Error negotiating SSL connection on FD 22:
>> error:1408F10B: SSL routines: SSL3_Get_Record: wrong version number
> (1/-1)
>> I have not tried the option=NO_SSLv2,NO_SSLv1. That will be my next
> move.
>> In terms of the upgrade to Squid 2.6STABLE17+ or 3.0STABLE1+, is it an
>> easy upgrade or is there alot of configuration involved?
>
> Relatively easy upgrade config-wise. I did not see anything in your
> posted lines which was deprecated in 2.6 and killed in 3.0.
>
> There is a short list if you have further config at
> http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html#modifiedtags
>
> Amos
>
>> Thanks,
>>
>> Jack Siergiej
>>
>>
>>
>>
>> *Amos Jeffries <squid3@treenet.co.nz>*
>>
>> 01/15/2008 02:43 AM
>>
>>
>> To
>> JSiergiej@pennsoftware.com
>> cc
>> squid-users@squid-cache.org
>> Subject
>> Re: [squid-users] Require SSL version 3
>>
>>
>>
>>
>>
>>
>>
>>
>> JSiergiej@pennsoftware.com wrote:
>> > Hello all,
>> >
>> > I have a client that is requiring the use of only SSL version 3 for
>> their
>> > websites. When a vulnerability scan is done by an outside firm
> against
>> > squid, the report states that SSLV2 is allowed and we can't have
> that.
>> Firstly, I see several HTTPS address/port open in the config below.
>> Several do not have a version= limit set on them. Are you certain the
>> outside test report is not talking about one of those?
>>
>> >
>> > I went to the
>> > http://www.squid-cache.org/Versions/v2/2.6/cfgman/https_port.html
>> page and
>> > tried appending the option "version=3" to the end of my https_port
> line
>> > for one of the sites (see below), but after I do this, I cannot view
> the
>> > https portion of the site. It tells me that the page was
>> interrupted. If
>> > I remove the version=3 line, I am fine.
>> >
>> > What do I need to do to make each of the sites below only accept
> SSLV3
>> > connections? Any help would be appreciated.
>>
>> version not working is a bug. Any further info you can provide would be
>> welcome in tracking it down
>>
>> Secondly, for your production use there are also appear to be the
>> alternatives:
>> https_port ... option=NO_SSLv2,NO_SSLv1
>>
>> >
>> > # Run Squid in virtual host mode
>> > http_port 80 vhost
>> >
>> > # Client1 reverse proxy config
>> > https_port 172.16.0.107:443 protocol=https vhost
>> > cert=/usr/local/squid/etc/devstore.pem
>> > key=/usr/local/squid/etc/devstore.key version=3
>> > cache_peer 192.168.0.7 parent 80 0 no-query originserver
>> > name=store.client1.com
>> > #acl client1 dstdomain store.client1.com
>> > acl client1 dstdomain xxx.xxx.xxx.xxx store.client1.com
>> > http_access allow client1
>> > cache_peer_access store.client1.com allow client1
>> >
>> >
>> > # Client2 reverse proxy config
>> > https_port 172.16.0.111:443 protocol=https
>> > cert=/usr/local/squid/etc/ctccert.pem
>> key=/usr/local/squid/etc/ctccert.key
>> > vhost
>>
>> no version= there...
>>
>> > cache_peer 192.168.0.11 parent 80 0 no-query originserver
>> > name=store.client2.com
>> > acl client2 dstdomain xxx.xxx.xxx.xxx store.client2.com
>> > http_access allow client2
>> > cache_peer_access store.client2.com allow client2
>> >
>> > # Client3 reverse proxy config
>> > https_port 172.16.0.105:443 protocol=https
>> > cert=/usr/local/squid/etc/devstore.pem
>> > key=/usr/local/squid/etc/devstore.key vhost
>>
>> And another missing the version.
>>
>> > cache_peer 192.168.0.05 parent 80 0 no-query originserver
>> > name=store.client3.com
>> > acl client3 dstdomain store.client3.com
>> > http_access allow client3
>> > cache_peer_access store.client3.com allow client3
>> >
>> > # Client4 reverse proxy config
>> > https_port 172.16.0.106:443 protocol=https
>> > cert=/usr/local/squid/etc/cycert.pem
> key=/usr/local/squid/etc/cycert.key
>> > vhost
>>
>> And another missing the version.
>>
>> > cache_peer 192.168.0.06 parent 80 0 no-query originserver
>> > name=store.client4.com
>> > acl client4 dstdomain store.client4.com
>> > http_access allow client4
>> > cache_peer_access store.client4.com allow client4
>> >
>> > # Client5 reverse proxy config
>> > https_port 172.16.0.120:443 protocol=https
>> > cert=/usr/local/squid/etc/opaccess.pem
>> > key=/usr/local/squid/etc/opaccess.key vhost
>>
>> And another missing the version.
>>
>> > cache_peer 192.168.0.20 parent 443 0 no-query originserver ssl
>> > name=store.client5.com
>> > acl client5 dstdomain store.client5.com
>> > http_access allow client5
>> > cache_peer_access store.client5.com allow client5
>> >
>> >
>> >
>> > # --- Begin default config options --- #
>> >
>> > hierarchy_stoplist cgi-bin ?
>> >
>> > acl QUERY urlpath_regex cgi-bin \?
>> > cache deny QUERY
>> >
>> > acl apache rep_header Server ^Apache
>> > broken_vary_encoding allow apache
>> >
>> > access_log /usr/local/squid/var/logs/access.log squid
>> >
>> > refresh_pattern ^ftp: 1440 20% 10080
>> > refresh_pattern ^gopher: 1440 0% 1440
>> > refresh_pattern . 0 20% 4320
>> >
>> > acl all src 0.0.0.0/0.0.0.0
>> > acl manager proto cache_object
>> > acl localhost src 127.0.0.1/255.255.255.255
>> > acl to_localhost dst 127.0.0.0/8
>> > acl SSL_ports port 443
>> > acl Safe_ports port 80 # http
>> > acl Safe_ports port 21 # ftp
>> > acl Safe_ports port 443 # https
>> > acl Safe_ports port 70 # gopher
>> > acl Safe_ports port 210 # wais
>> > acl Safe_ports port 1025-65535 # unregistered ports
>> > acl Safe_ports port 280 # http-mgmt
>> > acl Safe_ports port 488 # gss-http
>> > acl Safe_ports port 591 # filemaker
>> > acl Safe_ports port 777 # multiling http
>> > acl CONNECT method CONNECT
>> > acl TRACE method TRACE
>> >
>> > # Deny HTTP TRACE method
>> > http_access deny TRACE
>> > # Only allow cachemgr access from localhost
>> > http_access allow manager localhost
>> > http_access deny manager
>> > # Deny requests to unknown ports
>> > http_access deny !Safe_ports
>> > # Deny CONNECT to other than SSL ports
>> > http_access deny CONNECT !SSL_ports
>> > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>> >
>> > # And finally deny all other access to this proxy
>> > http_access deny all
>> >
>> > # and finally allow by default
>> > http_reply_access allow all
>> >
>> > #Allow ICP queries from everyone
>> > icp_access allow all
>> >
>> > # Leave coredumps in the first cache dir
>> > coredump_dir /usr/local/squid/var/cache
>> >
>> > Thanks,
>> >
>> > Jack Siergiej
>> >
>>
>>
>> --
>> Please use Squid 2.6STABLE17+ or 3.0STABLE1+
>> There are serious security advisories out on all earlier releases.
>>
>
>

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Tue Jan 15 2008 - 18:24:11 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:04 MST