squid ssl bump sslv3 enforce to allow old sites

Posted by Shrey on Server Fault See other posts from Server Fault or by Shrey
Published on 2014-06-13T05:49:08Z Indexed on 2014/06/13 9:28 UTC
Read the original article Hit count: 718

Filed under:
|
|
|

Important: I have this question on stackoverflow but somebody told me this is more relevant place for this question. Thanks

I have configured squid(3.4.2) as ssl bumped proxy. I am setting proxy in firefox(29) to use squid for https/http. Now it works for most sites, but some sites which support old SSL proto(sslv3) break, and I see squid not employing any workarounds for those like browsers do.

Sites which should work: https://usc-excel.officeapps.live.com/ , https://www.mahaconnect.in

As a workaround I have set sslproxy_version=3 , which enforces SSLv3 and above sites work.

My question: is there a better way to do this which does not involve enforcing SSLv3 for servers supporting TLS1 or better.

Now I know openssl doesn't automatically handle that. But I imagined squid would.

My squid conf snipper:

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/certs/SquidCA.pem

always_direct allow all ssl_bump server-first all sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB

client_persistent_connections on server_persistent_connections on

sslproxy_version 3

sslproxy_options ALL

cache_dir aufs /usr/local/squid/var/cache/squid 100 16 256

coredump_dir /usr/local/squid/var/cache/squid

strip_query_terms off

httpd_suppress_version_string on

via off

forwarded_for transparent

vary_ignore_expire on

refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

UPDATE: I have tried compiling squid 3.4.5 with openssl 1.0.1h . No improvements

© Server Fault or respective owner

Related posts about ssl

Related posts about proxy