Solved

SQUD PROXY SERVER, UNIX, SLL/HTTPS

Posted on 2016-10-07
5
102 Views
Last Modified: 2016-10-10
we have squid proxy server.

we recently ran a scan and it returned a new vulnerability with regards to SSL/TLS, which is known as the “Sweet32” Birthday Attack.  The conclusion is that DES and 3DES are weak ciphers and should be disabled on HTTPS servers.  This does not affect the SSL Certificates – they do not need to be re-issued.

We have 8 systems that are affected by this.  can we have  determined if DES and 3DES can be disabled on those systems or any other plan of action.

https://blog.digicert.com/sweet32-birthday-attack-what-you-need-to-know/

https://sweet32.info
0
Comment
Question by:pramod1
  • 3
  • 2
5 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 41834425
HTTPS ssl ciphers can be disabled in the config !sslv2:!sslv3

You've listed too many thing that make it difficult to figure out what you have.

SSL/ciphers are controlled through openssl

What functions Does the system provide.
If you have a squid reverse proxy, web server look for OpenSSL disable vulnerable protocols ciphers.
0
 

Author Comment

by:pramod1
ID: 41835060
it is a Linux box  web proxy server  which redirects email traffic to our exchange server
0
 
LVL 77

Expert Comment

by:arnold
ID: 41835089
Where did the SSL check come up? Is the proxy running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
Or you ave an users use it as a proxy, and you have a mailserver that functions as a scanning/anti-spam gateway to your exchange.

You have to identify each service (port) where the notice came up and adjust the secure portion configuration to restrict which protocols, cipher it offers.

It could be on your exchange, which using registry edit schannel can restrict which protocols, ciphers are available...
0
 

Author Comment

by:pramod1
ID: 41835268
the proxy is  running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 41835324
Look at the squid.conf file in particular sslproxy_ciphers.
See the reference below with the restriction.
http://www.squid-cache.org/mail-archive/squid-users/201003/0533.html
!SSLv3 will exclude ......
You can then use ssllabs.com to check the reverse proxy ssl/options.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question