RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL Reverse PROXY - Insecure Renegotiation Supported

On Mon, 15 Nov 2010 21:33:40 +0000, Sébastien WENSKE <sebastien_at_wenske.fr>
wrote:
> Thanks for your support Dean, but I'm definitively a n00b :)
> I had compile many times (without error) with some ssl paths, but no
> result I got the same result on the scan...
>
> I compiled openssl with no particular option (no make install)
>
> ./configure --localstatedir=/var --prefix=/usr --includedir=/usr/include
> --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid
> --exec-prefix=/usr --sysconfdir=/etc/squid --enable-x-accelerator-vary
> --with-default-user=proxy --enable-ssl --enable-follow-x-forwarded-for
> --enable-underscores --enable-delay-pools --enable-cache-digests
> --enable-auth="basic" --enable-ecap
> --with-openssl=/usr/src/openssl/openssl-1.0.0a/include/openssl

I think this should be
  --with-openssl=/usr/src/openssl/openssl-1.0.0a/

>
> I'm lost ... I need to fix this issue before implementing this in my
> company ...
>
> Cheers,
>
> Sebastian
>
> -----Message d'origine-----
> De : Dean Weimer [mailto:dweimer_at_orscheln.com]
> Envoyé : lundi 15 novembre 2010 19:56
> À : Sébastien WENSKE; squid-users_at_squid-cache.org
> Objet : RE: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL
Reverse
> PROXY - Insecure Renegotiation Supported
>
>> -----Original Message-----
>> From: Sébastien WENSKE [mailto:sebastien_at_wenske.fr]
>> Sent: Monday, November 15, 2010 11:29 AM
>> To: squid-users_at_squid-cache.org
>> Subject: [squid-users] RE: RE : [squid-users] [Squid 3.1.9] SSL
>> Reverse PROXY
>> - Insecure Renegotiation Supported
>>
>> Thanks Dean,
>>
>> I have tried to compile with openssl 10.0.0a, but I get the same
>> result...
>> even with sslproxy_ directives.
>>
>> Can you check your server on https://www.ssllabs.com/ssldb/index.html
>> just to see....
>>
>> In my case:
>>
>> browser <--- HTTPS ----> reverse proxy (squid 3.1.9) <---- HTTP ----->
>> OWA
>> 2010 (IIS 7.5)
>>
>> Maybe I miss something, how can I see which version of openssl is use
>> in squid ?
>>
>
> Here is the information I got back, minus the certificate section, the
> overall score was a 91. When you compiled with openssl, make sure to
use
> the --with-openssl=[DIR] to specify your path. To make sure you hit the
> version you installed, and not the local system libraries as they may
> differ. Though it would be best to update the local system libraries as
> well if possible.
>
> Protocols
> TLS 1.2 No
> TLS 1.1 No
> TLS 1.0 Yes
> SSL 3.0 Yes
> SSL 2.0+ Upgrade Support Yes
> SSL 2.0 No
>
>
> Cipher Suites (sorted; server has no preference)
> TLS_RSA_WITH_IDEA_CBC_SHA (0x7) 128
> TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 128
> TLS_RSA_WITH_SEED_CBC_SHA (0x96) 128
> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
> TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
>
>
> Miscellaneous
> Test date Mon Nov 15 18:49:14 UTC 2010
> Test duration 102.430 seconds
> Server signature Microsoft-IIS/6.0
> Session resumption Yes
> Renegotiation Secure Renegotiation Supported
> Strict Transport Security No
> TLS Version Tolerance 0x0304: 0x301; 0x0399: 0x301; 0x0499: fail
> PCI compliant Yes
> FIPS-ready No
>
> Thanks,
> Dean Weimer
> Network Administrator
> Orscheln Management Co
Received on Mon Nov 15 2010 - 22:54:44 MST