without restricting the ciphers seems to work fine, however some of the ciphers are vulnerable to attacks...Furthermore I think if I try some weird cipher which Squid is not supporting the same thing will happen...
On Mon, Nov 21, 2016 at 5:12 PM, Eliezer Croitoru <elie...@ngtech.co.il> wrote: > But what happens when you are not restricting the cipher with all this mess > in the options? > Would then also the DOS from nmap result the same issue? > > Eliezer > > ---- > Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Martin Tenev > Sent: Monday, November 21, 2016 19:01 > To: squid-users@lists.squid-cache.org > Subject: [squid-users] Squid 3.5.21 "hangs" when trying to connect using > unsupported cipher (complete DoS) > > Hello, > > I am having problems with squid & SSL. I have setup squid in reverse-proxy > configuration and overall it works fine, however for security reasons I had > to disable some of the ciphers. I have taken an example configuration from > http://www.rawiriblundell.com/?p=1442 and my https_port line looks pretty > much like this (this is the example from the website but the disabled > ciphers are the same for me as well): > > https_port 443 accel defaultsite=someinternalhost vhost > cert=/etc/squid/CertAuth/supersecret.crt > key=/etc/squid/CertAuth/supersecret.key > options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE > cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM- > SHA256:DHE-RSA-AES25 > 6-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256- > SHA384:ECDHE-RSA-AES > 128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE- > RSA-AES256-SHA256:D > HE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA: > ECDHE-RSA-DES-CBC > 3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM- > SHA256:AES256-SHA256 > :AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:! > aNULL:!eNULL:!EXPORT > :!DES:!MD5:!PSK:!RC4 dhparams=/etc/squid/CertAuth/dhparams.pem > > During my build I have included the config options --enable-ssl and > --with-openssl=/usr > > Using the proxy through a browser works fine, but if I try nmap --script > ssl-enum-ciphers -p 443 <host> or openssl s_client -cipher 'RC4-SHA' > -connect <host> these commands result in complete DoS for a few minutes. I > figured out that only the unsupported or disabled ciphers cause this > problem. Also when I do the openssl connection as shown above the proxy > will > be unresponsive as long as openssl is trying to connect using the disabled > cipher. As soon as it finishes (eg times out unable to connect using RC4) > the proxy starts serving requests again. I should mention that I am running > squid inside a docker container if this matters at all. > > The errors in my logs are : > "Error negotiating SSL connection on FD 22: error 1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO: no shared cipher (1/-1) > > "Error negotiating SSL connection on FD 25: error 1408A10B:SSL > routines:SSL3_GET_CLIENT_HELLO: wrong version number (1/-1) > > P.S I also tried squid 4, and got exactly the same problem. > > Any help will be much appreciated > > Thanks! >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
