I have submitted a bug : http://bugs.squid-cache.org/show_bug.cgi?id=4639
On Mon, Nov 21, 2016 at 5:48 PM, Eliezer Croitoru <elie...@ngtech.co.il> wrote: > Can you file a bug at the Bugzilla please? > http://bugs.squid-cache.org/enter_bug.cgi > > This is a very important issue to handle for both 3.5 and 4.0. > > Eliezer > > * If you are having any trouble handling the Bugzilla let me know and > I will try to help. > > ---- > Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > From: Martin Tenev [mailto:martintin...@gmail.com] > Sent: Monday, November 21, 2016 19:18 > To: Eliezer Croitoru <elie...@ngtech.co.il> > Cc: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] Squid 3.5.21 "hangs" when trying to connect > using unsupported cipher (complete DoS) > > without restricting the ciphers seems to work fine, however some of the > ciphers are vulnerable to attacks...Furthermore I think if I try some weird > cipher which Squid is not supporting the same thing will happen... > > On Mon, Nov 21, 2016 at 5:12 PM, Eliezer Croitoru <elie...@ngtech.co.il > <mailto:elie...@ngtech.co.il> > wrote: > But what happens when you are not restricting the cipher with all this mess > in the options? > Would then also the DOS from nmap result the same issue? > > Eliezer > > ---- > Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> > Linux System Administrator > Mobile: +972-5-28704261 <tel:%2B972-5-28704261> > Email: elie...@ngtech.co.il <mailto:elie...@ngtech.co.il> > > > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org > <mailto:squid-users-boun...@lists.squid-cache.org> ] On > Behalf Of Martin Tenev > Sent: Monday, November 21, 2016 19:01 > To: squid-users@lists.squid-cache.org > <mailto:squid-users@lists.squid-cache.org> > Subject: [squid-users] Squid 3.5.21 "hangs" when trying to connect using > unsupported cipher (complete DoS) > > Hello, > > I am having problems with squid & SSL. I have setup squid in reverse-proxy > configuration and overall it works fine, however for security reasons I had > to disable some of the ciphers. I have taken an example configuration from > http://www.rawiriblundell.com/?p=1442 and my https_port line looks pretty > much like this (this is the example from the website but the disabled > ciphers are the same for me as well): > > https_port 443 accel defaultsite=someinternalhost vhost > cert=/etc/squid/CertAuth/supersecret.crt > key=/etc/squid/CertAuth/supersecret.key > options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE > cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM- > SHA256:DHE-RSA-AES2 > 5 > 6-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256- > SHA384:ECDHE-RSA-AE > S > 128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE- > RSA-AES256-SHA256: > D > HE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA: > ECDHE-RSA-DES-CB > C > 3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM- > SHA256:AES256-SHA25 > 6 > :AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:! > aNULL:!eNULL:!EXPOR > T > :!DES:!MD5:!PSK:!RC4 dhparams=/etc/squid/CertAuth/dhparams.pem > > During my build I have included the config options --enable-ssl and > --with-openssl=/usr > > Using the proxy through a browser works fine, but if I try nmap --script > ssl-enum-ciphers -p 443 <host> or openssl s_client -cipher 'RC4-SHA' > -connect <host> these commands result in complete DoS for a few minutes. I > figured out that only the unsupported or disabled ciphers cause this > problem. Also when I do the openssl connection as shown above the proxy > will > be unresponsive as long as openssl is trying to connect using the disabled > cipher. As soon as it finishes (eg times out unable to connect using RC4) > the proxy starts serving requests again. I should mention that I am running > squid inside a docker container if this matters at all. > > The errors in my logs are : > "Error negotiating SSL connection on FD 22: error 1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO: no shared cipher (1/-1) > > "Error negotiating SSL connection on FD 25: error 1408A10B:SSL > routines:SSL3_GET_CLIENT_HELLO: wrong version number (1/-1) > > P.S I also tried squid 4, and got exactly the same problem. > > Any help will be much appreciated > > Thanks! > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
