Solved

SQUD PROXY SERVER, UNIX, SLL/HTTPS

Posted on 2016-10-07
5
146 Views
Last Modified: 2016-10-10
we have squid proxy server.

we recently ran a scan and it returned a new vulnerability with regards to SSL/TLS, which is known as the “Sweet32” Birthday Attack.  The conclusion is that DES and 3DES are weak ciphers and should be disabled on HTTPS servers.  This does not affect the SSL Certificates – they do not need to be re-issued.

We have 8 systems that are affected by this.  can we have  determined if DES and 3DES can be disabled on those systems or any other plan of action.

https://blog.digicert.com/sweet32-birthday-attack-what-you-need-to-know/

https://sweet32.info
0
Comment
Question by:pramod1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 41834425
HTTPS ssl ciphers can be disabled in the config !sslv2:!sslv3

You've listed too many thing that make it difficult to figure out what you have.

SSL/ciphers are controlled through openssl

What functions Does the system provide.
If you have a squid reverse proxy, web server look for OpenSSL disable vulnerable protocols ciphers.
0
 

Author Comment

by:pramod1
ID: 41835060
it is a Linux box  web proxy server  which redirects email traffic to our exchange server
0
 
LVL 78

Expert Comment

by:arnold
ID: 41835089
Where did the SSL check come up? Is the proxy running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
Or you ave an users use it as a proxy, and you have a mailserver that functions as a scanning/anti-spam gateway to your exchange.

You have to identify each service (port) where the notice came up and adjust the secure portion configuration to restrict which protocols, cipher it offers.

It could be on your exchange, which using registry edit schannel can restrict which protocols, ciphers are available...
0
 

Author Comment

by:pramod1
ID: 41835268
the proxy is  running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 41835324
Look at the squid.conf file in particular sslproxy_ciphers.
See the reference below with the restriction.
http://www.squid-cache.org/mail-archive/squid-users/201003/0533.html
!SSLv3 will exclude ......
You can then use ssllabs.com to check the reverse proxy ssl/options.
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Database storage, where is the exe actually on the disc? Playing a game selected randomly (how to generate random numbers).  Error trapping with try..catch to help the code run even if something goes wrong. Continuing from the seve…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question