Link to home
Start Free TrialLog in
Avatar of pramod1
pramod1Flag for United States of America

asked on

SQUD PROXY SERVER, UNIX, SLL/HTTPS

we have squid proxy server.

we recently ran a scan and it returned a new vulnerability with regards to SSL/TLS, which is known as the “Sweet32” Birthday Attack.  The conclusion is that DES and 3DES are weak ciphers and should be disabled on HTTPS servers.  This does not affect the SSL Certificates – they do not need to be re-issued.

We have 8 systems that are affected by this.  can we have  determined if DES and 3DES can be disabled on those systems or any other plan of action.

https://blog.digicert.com/sweet32-birthday-attack-what-you-need-to-know/

https://sweet32.info
Avatar of arnold
arnold
Flag of United States of America image

HTTPS ssl ciphers can be disabled in the config !sslv2:!sslv3

You've listed too many thing that make it difficult to figure out what you have.

SSL/ciphers are controlled through openssl

What functions Does the system provide.
If you have a squid reverse proxy, web server look for OpenSSL disable vulnerable protocols ciphers.
Avatar of pramod1

ASKER

it is a Linux box  web proxy server  which redirects email traffic to our exchange server
Where did the SSL check come up? Is the proxy running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
Or you ave an users use it as a proxy, and you have a mailserver that functions as a scanning/anti-spam gateway to your exchange.

You have to identify each service (port) where the notice came up and adjust the secure portion configuration to restrict which protocols, cipher it offers.

It could be on your exchange, which using registry edit schannel can restrict which protocols, ciphers are available...
Avatar of pramod1

ASKER

the proxy is  running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial