Solved

SQUD PROXY SERVER, UNIX, SLL/HTTPS

Posted on 2016-10-07
5
93 Views
Last Modified: 2016-10-10
we have squid proxy server.

we recently ran a scan and it returned a new vulnerability with regards to SSL/TLS, which is known as the “Sweet32” Birthday Attack.  The conclusion is that DES and 3DES are weak ciphers and should be disabled on HTTPS servers.  This does not affect the SSL Certificates – they do not need to be re-issued.

We have 8 systems that are affected by this.  can we have  determined if DES and 3DES can be disabled on those systems or any other plan of action.

https://blog.digicert.com/sweet32-birthday-attack-what-you-need-to-know/

https://sweet32.info
0
Comment
Question by:pramod1
  • 3
  • 2
5 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 41834425
HTTPS ssl ciphers can be disabled in the config !sslv2:!sslv3

You've listed too many thing that make it difficult to figure out what you have.

SSL/ciphers are controlled through openssl

What functions Does the system provide.
If you have a squid reverse proxy, web server look for OpenSSL disable vulnerable protocols ciphers.
0
 

Author Comment

by:pramod1
ID: 41835060
it is a Linux box  web proxy server  which redirects email traffic to our exchange server
0
 
LVL 77

Expert Comment

by:arnold
ID: 41835089
Where did the SSL check come up? Is the proxy running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
Or you ave an users use it as a proxy, and you have a mailserver that functions as a scanning/anti-spam gateway to your exchange.

You have to identify each service (port) where the notice came up and adjust the secure portion configuration to restrict which protocols, cipher it offers.

It could be on your exchange, which using registry edit schannel can restrict which protocols, ciphers are available...
0
 

Author Comment

by:pramod1
ID: 41835268
the proxy is  running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 41835324
Look at the squid.conf file in particular sslproxy_ciphers.
See the reference below with the restriction.
http://www.squid-cache.org/mail-archive/squid-users/201003/0533.html
!SSLv3 will exclude ......
You can then use ssllabs.com to check the reverse proxy ssl/options.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
https to http for whole site 3 79
Reducing the size of certificate chain 2 75
Python Assistance 7 80
SEO, SSL, and Canonical URL Tags 5 95
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question