squid ssl bump sslv3 enforce to allow old sites
Posted
by
Shrey
on Server Fault
See other posts from Server Fault
or by Shrey
Published on 2014-06-13T05:49:08Z
Indexed on
2014/06/13
9:28 UTC
Read the original article
Hit count: 718
Important: I have this question on stackoverflow but somebody told me this is more relevant place for this question. Thanks
I have configured squid(3.4.2) as ssl bumped proxy. I am setting proxy in firefox(29) to use squid for https/http. Now it works for most sites, but some sites which support old SSL proto(sslv3) break, and I see squid not employing any workarounds for those like browsers do.
Sites which should work: https://usc-excel.officeapps.live.com/ , https://www.mahaconnect.in
As a workaround I have set sslproxy_version=3 , which enforces SSLv3 and above sites work.
My question: is there a better way to do this which does not involve enforcing SSLv3 for servers supporting TLS1 or better.
Now I know openssl doesn't automatically handle that. But I imagined squid would.
My squid conf snipper:
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/certs/SquidCA.pem
always_direct allow all ssl_bump server-first all sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB
client_persistent_connections on server_persistent_connections on
sslproxy_version 3
sslproxy_options ALL
cache_dir aufs /usr/local/squid/var/cache/squid 100 16 256
coredump_dir /usr/local/squid/var/cache/squid
strip_query_terms off
httpd_suppress_version_string on
via off
forwarded_for transparent
vary_ignore_expire on
refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
UPDATE: I have tried compiling squid 3.4.5 with openssl 1.0.1h . No improvements
© Server Fault or respective owner