Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SQUD PROXY SERVER, UNIX, SLL/HTTPS

Posted on 2016-10-07
5
Medium Priority
?
192 Views
Last Modified: 2016-10-10
we have squid proxy server.

we recently ran a scan and it returned a new vulnerability with regards to SSL/TLS, which is known as the “Sweet32” Birthday Attack.  The conclusion is that DES and 3DES are weak ciphers and should be disabled on HTTPS servers.  This does not affect the SSL Certificates – they do not need to be re-issued.

We have 8 systems that are affected by this.  can we have  determined if DES and 3DES can be disabled on those systems or any other plan of action.

https://blog.digicert.com/sweet32-birthday-attack-what-you-need-to-know/

https://sweet32.info
0
Comment
Question by:pramod1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 80

Expert Comment

by:arnold
ID: 41834425
HTTPS ssl ciphers can be disabled in the config !sslv2:!sslv3

You've listed too many thing that make it difficult to figure out what you have.

SSL/ciphers are controlled through openssl

What functions Does the system provide.
If you have a squid reverse proxy, web server look for OpenSSL disable vulnerable protocols ciphers.
0
 

Author Comment

by:pramod1
ID: 41835060
it is a Linux box  web proxy server  which redirects email traffic to our exchange server
0
 
LVL 80

Expert Comment

by:arnold
ID: 41835089
Where did the SSL check come up? Is the proxy running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
Or you ave an users use it as a proxy, and you have a mailserver that functions as a scanning/anti-spam gateway to your exchange.

You have to identify each service (port) where the notice came up and adjust the secure portion configuration to restrict which protocols, cipher it offers.

It could be on your exchange, which using registry edit schannel can restrict which protocols, ciphers are available...
0
 

Author Comment

by:pramod1
ID: 41835268
the proxy is  running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
0
 
LVL 80

Accepted Solution

by:
arnold earned 2000 total points
ID: 41835324
Look at the squid.conf file in particular sslproxy_ciphers.
See the reference below with the restriction.
http://www.squid-cache.org/mail-archive/squid-users/201003/0533.html
!SSLv3 will exclude ......
You can then use ssllabs.com to check the reverse proxy ssl/options.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Database storage, where is the exe actually on the disc? Playing a game selected randomly (how to generate random numbers).  Error trapping with try..catch to help the code run even if something goes wrong. Continuing from the seve…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question