Solved

SQUD PROXY SERVER, UNIX, SLL/HTTPS

Posted on 2016-10-07
5
74 Views
Last Modified: 2016-10-10
we have squid proxy server.

we recently ran a scan and it returned a new vulnerability with regards to SSL/TLS, which is known as the “Sweet32” Birthday Attack.  The conclusion is that DES and 3DES are weak ciphers and should be disabled on HTTPS servers.  This does not affect the SSL Certificates – they do not need to be re-issued.

We have 8 systems that are affected by this.  can we have  determined if DES and 3DES can be disabled on those systems or any other plan of action.

https://blog.digicert.com/sweet32-birthday-attack-what-you-need-to-know/

https://sweet32.info
0
Comment
Question by:pramod1
  • 3
  • 2
5 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 41834425
HTTPS ssl ciphers can be disabled in the config !sslv2:!sslv3

You've listed too many thing that make it difficult to figure out what you have.

SSL/ciphers are controlled through openssl

What functions Does the system provide.
If you have a squid reverse proxy, web server look for OpenSSL disable vulnerable protocols ciphers.
0
 

Author Comment

by:pramod1
ID: 41835060
it is a Linux box  web proxy server  which redirects email traffic to our exchange server
0
 
LVL 77

Expert Comment

by:arnold
ID: 41835089
Where did the SSL check come up? Is the proxy running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
Or you ave an users use it as a proxy, and you have a mailserver that functions as a scanning/anti-spam gateway to your exchange.

You have to identify each service (port) where the notice came up and adjust the secure portion configuration to restrict which protocols, cipher it offers.

It could be on your exchange, which using registry edit schannel can restrict which protocols, ciphers are available...
0
 

Author Comment

by:pramod1
ID: 41835268
the proxy is  running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 41835324
Look at the squid.conf file in particular sslproxy_ciphers.
See the reference below with the restriction.
http://www.squid-cache.org/mail-archive/squid-users/201003/0533.html
!SSLv3 will exclude ......
You can then use ssllabs.com to check the reverse proxy ssl/options.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cannot create certificate for EXCH2013 migration 21 47
Install MySQL 5.6 and PHP on Centos Linux 6 101
Linux hostname change 2 55
slow vpn connection 9 41
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now