• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Configure Options to secure SQuiD SSL connections (SQuiD 3.x)

Scheduled Pinned Locked Moved Cache/Proxy
10 Posts 8 Posters 19.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    Reiner030
    last edited by May 12, 2015, 2:20 PM Jun 9, 2013, 6:06 PM

    Hi,

    if you test your reverse SQuiD proxy instance with https://www.ssllabs.com/ssltest/analyze.html you'll find out that it's insecure:

    Configuration
    
    Protocols
    TLS 1.2	 No
    TLS 1.1	 No
    TLS 1.0	 Yes
    SSL 3.0	Yes
    SSL 2.0   INSECURE	Yes
    
    Cipher Suites (sorted by strength; server has no preference)
    TLS_RC4_128_EXPORT40_WITH_MD5 (0x20080)   WEAK	40
    TLS_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080)   WEAK	40
    TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK	40
    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK	40
    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK	40
    TLS_DES_64_CBC_WITH_MD5 (0x60040)   WEAK	56
    TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK	56
    TLS_RC4_128_WITH_MD5 (0x10080)	128
    TLS_RC2_128_CBC_WITH_MD5 (0x30080)	128
    TLS_RSA_WITH_RC4_128_MD5 (0x4)	128
    TLS_RSA_WITH_RC4_128_SHA (0x5)	128
    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)	128
    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)	128
    TLS_DES_192_EDE3_CBC_WITH_MD5 (0x700c0)	168
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)	168
    TLS_RSA_WITH_AES_256_CBC_SHA (0x35)	256
    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)	256
    
    Protocol Details
    Secure Renegotiation	Supported
    Secure Client-Initiated Renegotiation	Supported   DoS DANGER (more info)
    Insecure Client-Initated Renegotiation	No
    BEAST attack	Vulnerable   INSECURE (more info)
    Compression	No
    RC4	Yes   PROBLEMATIC (more info)
    Next Protocol Negotiation	No
    Session resumption	Yes
    Session tickets	Yes
    OCSP stapling	No
    Strict Transport Security	No
    Long handshake intolerance	No
    TLS extension intolerance	No
    TLS version intolerance	 0x0304: 0x301, 0x0399: 0x301, 0x0499: fail
    SSLv2 handshake compatibility	 Yes
    

    So I tried in "Proxy server: General settings", "General", Box "Custom Options" following lines as found e.g. in:
    http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-1-9-SSL-Reverse-PROXY-Insecure-Renegotiation-Supported-tp3043176p3043252.html :

    # SSL Options to 
    sslproxy_options NO_SSLv2
    sslproxy_cipher ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 
    

    But it won't work. Is there compile support needed or what can be done here? Should be a global problem/whish ;)

    Bests

    Reiner

    1 Reply Last reply Reply Quote 0
    • R
      Reiner030
      last edited by Jun 30, 2013, 4:38 AM

      Hi,

      seems that the sslproxy* options are only usable for CONNECT sessions.

      I tested it first with adding to my additional https_port line and then created following patch which works nice:

      --- /usr/local/pkg/squid_reverse.inc.orig       2013-06-17 22:14:28.000000000 +0200
      +++ /usr/local/pkg/squid_reverse.inc    2013-06-30 04:52:54.000000000 +0200
      @@ -82,7 +82,7 @@
                                      $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n";
                            //HTTPS
                            if (!empty($settings['reverse_https']))
      -                               $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n";
      +                               $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} cipher=RC4-SHA:HIGH:!ADH options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE defaultsite={$https_defsite} vhost\n";
                              }
                      }
      
      @@ -94,7 +94,7 @@
                                      $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n";
                            //HTTPS
                            if (!empty($settings['reverse_https']))
      -                               $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n";
      +                               $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} cipher=RC4-SHA:HIGH:!ADH options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE defaultsite={$https_defsite} vhost\n";
                              }
                      }
      

      Would nice if you /package mantainer can add it. Perhaps with additonal selectable options per GUI so people can deactivate it if they need it for older browswers?

      For SQuiD3 package on 2.0.3 I get now following testresult:

      Protocols
      TLS 1.2 No
      TLS 1.1 No
      TLS 1.0 Yes
      SSL 3.0 No
      SSL 2.0 No

      Cipher Suites (sorted by strength; the server has no preference)
      TLS_RSA_WITH_RC4_128_SHA (0x5) 128
      TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
      TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
      TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256

      Handshake Simulation (Experimental)
      Chrome 27 TLS 1.0 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
      Firefox 21 TLS 1.0 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
      Internet Explorer 9 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
      Internet Explorer 10 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
      Safari iOS 6.0.1 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
      Safari 5.1 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128

      Protocol Details
      Secure Renegotiation Supported
      Secure Client-Initiated Renegotiation Supported  DoS DANGER (more info)
      Insecure Client-Initated Renegotiation No
      BEAST attack Vulnerable  INSECURE (more info)
      Compression No
      RC4 Yes  PROBLEMATIC (more info)
      Forward Secrecy No (more info)
      Next Protocol Negotiation No
      Session resumption Yes
      Session tickets Yes
      OCSP stapling No
      Strict Transport Security No
      Long handshake intolerance No
      TLS extension intolerance No
      TLS version intolerance 0x0304: 0x301, 0x0399: 0x301, 0x0499: fail
      SSLv2 handshake compatibility Yes

      Miscellaneous
      Test date Sun Jun 30 02:55:16 UTC 2013
      Test duration 40.310 seconds
      HTTP status code 200
      HTTP server signature Apache
      Server hostname <hidden server="" name="">PCI compliant No
      FIPS-ready No

      so BEAST attack problem and PCI compliance would be still open (and optionally FIPS-ready support and OCSP stapling)…

      For PCI compliance I found this patch:
      http://www.sw-servers.net/how-to-pass-pci-tests-with-squid/

      For OCSP stapling it seems still in testing phase:
      http://wiki.squid-cache.org/Features/SslServerCertValidator

      and FIPS need OpenSSL support / seems not sooo important...

      Ah and I guess that TLS_v1.1 and TLS_v1.2 are supported in newer SQuiD versions, too?

      Bests

      Reiner</hidden>

      1 Reply Last reply Reply Quote 0
      • D
        dhatz
        last edited by Jun 30, 2013, 7:55 PM

        A month ago I posted about a related issue regarding pfSense's webGUI, but didn't get any response:

        webGUI webserver will not protect a client from the BEAST attack

        Also see https://bugzilla.redhat.com/show_bug.cgi?id=857051

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by Jul 3, 2013, 1:52 PM

          I'll try to update the gui this week or when time permits ;)

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • S
            stegfeld
            last edited by Apr 16, 2014, 10:41 AM

            hey there,

            just added the two lines

            $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} cipher=RC4-SHA:HIGH:!ADH options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE defaultsite={$https_defsite} vhost\n";
            

            and

            $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} cipher=RC4-SHA:HIGH:!ADH options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE defaultsite={$https_defsite} vhost\n";
            

            and restarted squid, but ssllabs ssltest tells me

            This server supports SSL 2, which is obsolete and insecure. Grade set to F.

            any ideas??

            1 Reply Last reply Reply Quote 0
            • A
              AnthonyVDH
              last edited by May 8, 2014, 6:38 AM

              Thanks Reiner030, that improved my rating on ssllabs too. Were you able to get TLS 1.1 and 1.2 working with a reverse proxy package?

              1 Reply Last reply Reply Quote 0
              • S
                stegbth
                last edited by May 12, 2015, 11:18 AM

                Hi,

                i upgraded (better reinstalled an restored backup) to 2.2.2.
                This point still exists for package Squid3 (0.28).

                I added

                cipher=HIGH:!ADH options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

                And a new Sha256 certificate, but the reverseproxy still does not support FS

                any ideas
                Thomas

                1 Reply Last reply Reply Quote 0
                • D
                  digdug3
                  last edited by May 28, 2015, 11:52 AM

                  @stegbth:

                  Hi,

                  i upgraded (better reinstalled an restored backup) to 2.2.2.
                  This point still exists for package Squid3 (0.28).

                  I added

                  cipher=HIGH:!ADH options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

                  And a new Sha256 certificate, but the reverseproxy still does not support FS

                  any ideas
                  Thomas

                  Hi Thomas,

                  If you want FS on pfSense 64-Bit 2.2.2 with Squid3 v0.2.8 do this:

                  Login into pfsense secure shell
                  type:

                  
                  cd /usr/pbi/squid-amd64/local/etc/squid
                  openssl dhparam -out dhparams.pem 2048
                  
                  

                  To create the DH pool

                  In the Webinterface go to Services –> Reverse Proxy
                  In "Reverse HTTPS default site" give:

                  www.example.com options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 dhparams=/usr/pbi/squid-amd64/local/etc/squid/dhparams.pem sslflags=NO_SESSION_REUSE
                  

                  Or if you don't need older browsers to be able to access your site:

                  www.example.com options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE cipher=AES128-EECDH:AES128-EDH dhparams=/usr/pbi/squid-amd64/local/etc/squid/dhparams.pem sslflags=NO_SESSION_REUSE
                  

                  Of course replace "www.example.com" with your main domainname/certificate

                  Thanks to https://www.cipherli.st

                  I know Squid3 v0.2.8 cannot use EECDHE. A patch has already been posted at the Squid forum.
                  http://lists.squid-cache.org/pipermail/squid-users/2015-May/003726.html

                  1 Reply Last reply Reply Quote 0
                  • D
                    default666
                    last edited by Jul 29, 2015, 7:15 AM Jul 29, 2015, 7:12 AM

                    If you want FS on pfSense 64-Bit 2.2.2 with Squid3 v0.2.8 do this:

                    Login into pfsense secure shell
                    type:

                    cd /usr/pbi/squid-amd64/local/etc/squid
                    openssl dhparam -out dhparams.pem 2048

                    To create the DH pool

                    In the Webinterface go to Services –> Reverse Proxy
                    In "Reverse HTTPS default site" give:
                    www.example.com options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 dhparams=/usr/pbi/squid-amd64/local/etc/squid/dhparams.pem sslflags=NO_SESSION_REUSE

                    Or if you don't need older browsers to be able to access your site:
                    www.example.com options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE cipher=AES128-EECDH:AES128-EDH dhparams=/usr/pbi/squid-amd64/local/etc/squid/dhparams.pem sslflags=NO_SESSION_REUSE

                    Of course replace "www.example.com" with your main domainname/certificate

                    Not working.  Qualys says: The server does not support Forward Secrecy with the reference browsers.

                    1 Reply Last reply Reply Quote 0
                    • D
                      default666
                      last edited by Jul 30, 2015, 3:51 AM

                      the wrong line inserted, problem solved, used this string to get Qualys grade A with https://forum.pfsense.org/index.php?topic=82914.15:

                      some.domain.tld options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-SHA:!AES128-SHA:!DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4 dhparams=/usr/pbi/squid-amd64/local/etc/squid/dhparams.pem sslflags=NO_SESSION_REUSE
                      

                      it's for squid 3 reverse proxy

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        [[user:consent.lead]]
                        [[user:consent.not_received]]