RE: [squid-users] Reverse Proxy SSL Options
fre 2010-03-19 klockan 10:09 -0500 skrev Dean Weimer: Thanks for the info that worked, almost, I added the following entries. sslproxy_options NO_SSLv2 sslproxy_cipher ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 sslproxy_* options is the wrong place. You as you discovered you need to set these SSL parameters in the https_port line. sslproxy_* parameters control what Squid requires on outgoing SSL connections it makes when forwarding an https:// URL and not using a peer... I very much doubt you need to care about these. There is two main situations when Squid forwards https:// URLs a) When requested by a client without native SSL support. I.e. old versions of lynx. b) When using a redirector to rewrite http:// URLs into https:// without usign a browser redirect. C) an ssl reverse proxy configured with direct forwarding without using cache_peer. Regards Henrik
Re: [squid-users] Reverse Proxy SSL Options
On 18.03.10 13:12, Dean Weimer wrote: We have multiple websites using a certificate that has subject alternative names set to use SSL for the multiple domains. That part is working fine, and traffic will pass through showing with Valid certificates. However, I need to Disable it from answering with weak ciphers and SSLv2 to pass the scans. check https_port options cipher= and options= for the latter you can play with openssl ciphers. I use (not on squid), DEFAULT:!EXP -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: [squid-users] Reverse Proxy SSL Options
Matus UHLAR - fantomas wrote: On 18.03.10 13:12, Dean Weimer wrote: We have multiple websites using a certificate that has subject alternative names set to use SSL for the multiple domains. That part is working fine, and traffic will pass through showing with Valid certificates. However, I need to Disable it from answering with weak ciphers and SSLv2 to pass the scans. check https_port options cipher= and options= for the latter you can play with openssl ciphers. I use (not on squid), DEFAULT:!EXP @Dean: Thanks for bringing this up. I've now updated the config documentation to actually mention those details. In short for options: NO_SSLv2 Disallow the use of SSLv2 NO_SSLv3 Disallow the use of SSLv3 NO_TLSv1 Disallow the use of TLSv1 SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges These options vary depending on your SSL engine. See the OpenSSL SSL_CTX_set_options documentation for a complete list of possible options. ciphers is a comma separated list of ciphers which are to be accepted. I'm only going on second-hand info but think it's like SHA1,SHA256 etc. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
RE: [squid-users] Reverse Proxy SSL Options
On 18.03.10 13:12, Dean Weimer wrote: We have multiple websites using a certificate that has subject alternative names set to use SSL for the multiple domains. That part is working fine, and traffic will pass through showing with Valid certificates. However, I need to Disable it from answering with weak ciphers and SSLv2 to pass the scans. check https_port options cipher= and options= for the latter you can play with openssl ciphers. I use (not on squid), DEFAULT:!EXP -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe. Thanks for the info that worked, almost, I added the following entries. sslproxy_options NO_SSLv2 sslproxy_cipher ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 I stole the cipher options from an apache server that was passing the PCI scans. This still caused it to fail the scans. When I entered the same configuration in the https_port line, however it worked. Example(IP and domain name has been changed): https_port 192.168.1.2:443 accel cert=/usr/local/squid/etc/certs/test.crt key=/usr/local/squid/etc/certs/test.key defaultsite=www.default.com vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 Do the sslproxy_* lines only effect the squid outbound connections to the back end servers? Or are both settings possibly required? In the successful test scan I had both Set. I am willing to test some other options if anyone wants me to, I have untill Tuesday before the system needs to be live, its currently only accessible to internal clients with a hosts file entry and is being tested with a Rapid7 Nexpose scanner. Thanks, Dean Weimer
