RE: [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported

From: Dean Weimer <dweimer_at_ORSCHELN.com>
Date: Mon, 15 Nov 2010 09:32:00 -0600

> -----Original Message-----
> From: Sébastien WENSKE [mailto:sebastien_at_wenske.fr]
> Sent: Monday, November 15, 2010 8:44 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure
> Renegotiation Supported
>
> Hello guys,
>
> I have set up a squid as SSL reverse proxy, it works very fine.
>
> I have checked SSL security against Qualys and they report me that the
> server is vulnerable to MITM attacks because it supports insecured
> renegotiation
>
>
> There is my SSL relating configuration:
>
> https_port xx.xx.xx.xx:443 cert=/etc/squid/ssl/RapidSSL_xxx.xxxxxxx.xx.crt
> key=/etc/squid/ssl/RapidSSL_xxx.xxxxxxx.xx.key options=NO_SSLv2 cipher=RSA:
> HIGH:!eNULL:!aNULL:!LOW:!RC4 RSA:!RC2 RSA:!EXP:!ADH accel ignore-cc
> defaultsite=xxx.xxxxxxxx.xx vhost
> [...]
> cache_peer 10.x.x.x parent 80 0 front-end-https=on name=sw01 no-query
> originserver default login=PASS no-digest
> [...]
> ssl_unclean_shutdown on
> [...]
>
>
> Is it openssl related or squid configuration ????
>
>
> Many Thanks,
>
> Sebastian

I have squid compiled from source against Openssl 1.0.0a, with the following options set:

https_port x.x.x.x:443 accel cert=xxx.crt key=xxx.key defaultsite=xxx.xxxx.xxx vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
sslproxy_options NO_SSLv2
sslproxy_cipher ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

It passes the entire test from our PCI (Payment Card Industry) site certification scans, the options and ciphers are set both on the https_port line and on individual lines, not sure if both or only one are required.

Thanks,
     Dean Weimer
     Network Administrator
     Orscheln Management Co
Received on Mon Nov 15 2010 - 15:32:49 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 15 2010 - 12:00:02 MST