Is there a way to verify that the SSL library doesn't support SSLv3? Renato Jop
On Mon, Jun 27, 2016 at 8:43 AM, Yuri <yvoi...@gmail.com> wrote: > Looks like your SSL library does not contain SSLv3 protocol support > already, but site announce it. > > 27.06.2016 20:42, Renato Jop пишет: > > I removed the NO_SSLv2, NO_SSLv3 however, right before the SSL3_GET_ > RECORD:wrong version number the SSL > routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown. > > Renato Jop > > On Mon, Jun 27, 2016 at 8:29 AM, Yuri <yvoi...@gmail.com> wrote: > >> Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not supported >> everywhere, RC4/3DES is SSLv3 ciphers, so it can be confuse software. I.e., >> you use custom ciphers/protocols combinations, which can lead issue. >> >> 27.06.2016 20:25, Renato Jop пишет: >> >> Thank you both for your valuable help. >> I've configured the tls-dh param with a strong Diffie-Hellman group (2048 >> bits) and configured the cipher as Yuri specified and I was able to get >> pass the unknown cipher, however now I get a "SSL routines:SSL3_GET_ >> RECORD:wrong version number". Here's the configuration I changed: >> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS >> dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE >> tls-dh=/usr/local/etc/squid/dhparams.pem >> >> >> >> Renato Jop >> >> On Sat, Jun 25, 2016 at 11:34 AM, Yuri Voinov < <yvoi...@gmail.com> >> yvoi...@gmail.com> wrote: >> >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> >>> >>> 25.06.2016 23:09, Amos Jeffries пишет: >>> > On 26/06/2016 4:32 a.m., Yuri Voinov wrote: >>> >> >>> >> Amos, you are a wrong. >>> >> >>> >> No Squid-4. It's unstable and not ready for production. Whenever it's >>> >> features. >>> > >>> > So some beta software has bugs therefore nobody should ever use it for >>> > anything. I find that to be a strange and sad view of the world. >>> > >>> > Care to guess why I listed it as the last option amongst several? >>> > Or why 4.0.11 exists as a beta still? >>> > It *is* an option for the mentioned problem(s) though whatever its >>> utility. >>> Agreed. >>> > >>> > >>> > >>> >> >>> >> Some time ago I have the same issue and know what happens exactly. >>> >> >>> >> Skype initial connection site uses RC4 cipher. Which is disabled in >>> most >>> >> squid's configuration. >>> > >>> > Your "know what happens exactly" differs from at least two other >>> peoples >>> > debugging experiences with Skype. >>> > >>> > RC4 is on the hitlist for most of the big vendors for the past year or >>> > so. IIRC there were several Windows Updates to remove it and other >>> > broken bits from a lot of things over the past year. >>> > If Skype is still using RC4 it might be part of this problem. >>> I'm sure this is problem and this problem exists. MS do nothing to make >>> they sites/services more secure. BTW, MS Updates uses RC4 ciphers itself >>> this time. With strong siphers there is no way to setup WU via Squid. >>> I've spent much time to identify this problem in my setup and find >>> working workaround. >>> >>> Another part of problem is: MS often uses it's own self-signed roots, >>> which is exists in Windows, but nowhere else. And which has not >>> cross-signed by well-known root CA's. They think it make MS services >>> more secure. They wrong. But we can't do anything with it. So, this is >>> forced us to add self-signed MS roots to our Squid's CA bundles to >>> bump/splice. >>> > >>> > >>> >> >>> >> To make it works (as by as most M$ update sites) it's require simple >>> use >>> >> this cipher's suite: >>> >> >>> >> HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS >>> >> >>> >> That works for me in 5 SSL bumped setups. There is no matter which >>> squid >>> >> version installed. >>> > >>> > Thank you. Thats another option then. I'd rate that below trying the EC >>> > ciphers, and above library updates. >>> You are welcome. >>> >>> Just for information: MS has own IT infrastructure, with some strange >>> configured and non well-managed elements. I can't guarantee this >>> workaround will work everywhere or for every MS service. >>> >>> When I made my research, I've seen some strange security TLS >>> combinations on MS sites/services. I.e., for example, RC4+ECDSA+TLSv1.2. >>> Or, for example, RC4+MD5+TLSv1. And some similar. Very idiotic and >>> potentially dangerous combinations. And - they support ignores all >>> requests. As usual. >>> >>> To my regret, I can not order all of its users to abandon the use of >>> Windows. So far, in my infrastructure have machines with Windows XP. >>> >>> With this nothing can be done, it is necessary only to weaken the >>> security - for the sake of compatibility. >>> > >>> > >>> > Amos >>> > _______________________________________________ >>> > squid-users mailing list >>> > squid-users@lists.squid-cache.org >>> > http://lists.squid-cache.org/listinfo/squid-users >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v2 >>> >>> iQEcBAEBCAAGBQJXbsC5AAoJENNXIZxhPexGiFoH/jrtimBNppF1uHpVTNwOO10z >>> yF2APMA56S8woNZzhUNjT8+oJFPrthnMoQFrqgicjS77SBAFp9KcOV+SxOKl9+sW >>> OdAHDPuCD7dGnKzAdFDR1YR7Vp5IpElP1rFO5rqKXeBc3iKjq65BfF+T6atHy6cS >>> 0VAaluvqvHQps2wVKoYxGURDf3Y2K0lJn+qF+s2CaBwEufhzgKSvG0aUIDqTfHfK >>> 3EMQTpPtlTqm+pcexR+oZM1WE1hlES1khOXs51fgo6puPryqWJiHGvO4EBEfWoXF >>> Skval2COzcdzMvC5jjfGbMEPNGNJrYUeq/KNgppRvE2wQJ+gCLYG317decKHty0= >>> =8BTp >>> -----END PGP SIGNATURE----- >>> >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> http://lists.squid-cache.org/listinfo/squid-users >>> >>> >> >> > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
