On 31/03/18 11:41, squid wrote: > We are using squid as reverse proxy and we have disabled SSLv3 : > > https_port ... > options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE > cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem
NP: Squid-3.5 or later is required for EC cipher support. > > Using Nessus scanning tool, it reports that SSLv3 is enabled, but not SSLv2. > Looking at the ssl handshake client hello and server hellos is does seem > that the sslv3 is being used. Is there something that we are missing? > > Version of Squid (3.1) is stock RH6 which I know is old, but for now we need > to use. We will be upgrading to RH7, but it may be a little while so I'd > like to get this solved. > > Secure Sockets Layer > SSLv3 Record Layer: Handshake Protocol: Server Hello > Content Type: Handshake (22) > Version: SSL 3.0 (0x0300) > Length: 74 > Handshake Protocol: Server Hello > Handshake Type: Server Hello (2) > Length: 70 > Version: SSL 3.0 (0x0300) > Random: 5aa83ae26555f6dcc7042c341d090c6715a243a7be05d69b... > Session ID Length: 32 > Session ID: 44bb10e985c067cc987bf2e698d458dd37d2b3c469ce9fe7... > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) > Compression Method: null (0) Which of the TCP connections was that hello performed on? You have apparently only disabled SSLv3 on the client->Squid connection. No information is provided about the Squid->server settings (sslproxy_options). Also, these options are handled by OpenSSL. They only work if the library Squid was built against supports them. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
