I missed that I needed that setting (sslproxy_options) in a reverse proxy mode of operation. We haven't had to use any pf the sslproxy_* options. I'll test that and see if it takes care of the issue.
Does this option need to be placed anywhere specifically in the config? Also, does this require and other sslproxy_* options. Our goal is to just stop Nessus from flagging for sslv3. Thanks On Fri, Mar 30, 2018, at 8:29 PM, Amos Jeffries wrote: > On 31/03/18 11:41, squid wrote: > > We are using squid as reverse proxy and we have disabled SSLv3 : > > > > https_port ... > > options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE > > cipher=ECDHE-ECDSA . . .. dhparams=/etc/...dhparams.pem > > NP: Squid-3.5 or later is required for EC cipher support. > > > > > > Using Nessus scanning tool, it reports that SSLv3 is enabled, but not > > SSLv2. Looking at the ssl handshake client hello and server hellos is > > does seem that the sslv3 is being used. Is there something that we are > > missing? > > > > Version of Squid (3.1) is stock RH6 which I know is old, but for now we > > need to use. We will be upgrading to RH7, but it may be a little while so > > I'd like to get this solved. > > > > Secure Sockets Layer > > SSLv3 Record Layer: Handshake Protocol: Server Hello > > Content Type: Handshake (22) > > Version: SSL 3.0 (0x0300) > > Length: 74 > > Handshake Protocol: Server Hello > > Handshake Type: Server Hello (2) > > Length: 70 > > Version: SSL 3.0 (0x0300) > > Random: 5aa83ae26555f6dcc7042c341d090c6715a243a7be05d69b... > > Session ID Length: 32 > > Session ID: 44bb10e985c067cc987bf2e698d458dd37d2b3c469ce9fe7... > > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) > > Compression Method: null (0) > > Which of the TCP connections was that hello performed on? > > You have apparently only disabled SSLv3 on the client->Squid connection. > No information is provided about the Squid->server settings > (sslproxy_options). > > > Also, these options are handled by OpenSSL. They only work if the > library Squid was built against supports them. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
