Search code examples
sslproxysquid

squid ssl bump sslv3 enforce to allow old sites

I have configured squid(3.4.2) as ssl bumped proxy. I am setting proxy in firefox(29) to use squid for https/http. Now it works for most sites, but some sites which support old SSL proto(sslv3) break, and I see squid not employing any workarounds for those like browsers do.

Sites which should work: https://usc-excel.officeapps.live.com/ , https://www.mahaconnect.in , https://kz.grfc.ru/portal/faces/app/materials/active.jspx

As a workaround I have set sslproxy_version=3 , which enforces SSLv3 and above sites work.

My question: is there a better way to do this which does not involve enforcing SSLv3 for servers supporting TLS1 or better.

Now I know openssl doesn't automatically handle that. But I imagined squid would.

My squid conf snipper:

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/certs/SquidCA.pem

always_direct allow all ssl_bump server-first all sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB

client_persistent_connections on server_persistent_connections on

sslproxy_version 3

sslproxy_options ALL

cache_dir aufs /usr/local/squid/var/cache/squid 100 16 256

coredump_dir /usr/local/squid/var/cache/squid

strip_query_terms off

httpd_suppress_version_string on

via off

forwarded_for transparent

vary_ignore_expire on

refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

Solution

  • This question was more in sync with Serverfault than stackoverflow. I got it answered there. https://serverfault.com/questions/604824/squid-ssl-bump-sslv3-enforce-to-allow-old-sites

    I have kept the question subject same in both sites and leaving this question be, in case somebody stumbles upon this question here instead of serverfault. Moderators are free to chuck this question out of stackoverflow.

    I had to stop supporting all the ciphers openssl supports and put my custom list which would be extended as and how required. https://usc-excel.officeapps.live.com/ supports RC4-MD5 so my cipher list is:

    sslproxy_cipher EDH-RSA-DES-CBC3-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:HIGH:!aNULL:!MD5:!ADH