Adding Bluecoat part from Adam Lewicki, as well as a few minor things regarding squid
authorUlrich <ulrich.poeschl@bmlv.gv.at>
Thu, 21 Nov 2013 16:16:15 +0000 (17:16 +0100)
committerUlrich <ulrich.poeschl@bmlv.gv.at>
Thu, 21 Nov 2013 16:16:15 +0000 (17:16 +0100)
src/gitHeadInfo.gin
src/links.tex
src/practical_settings.tex
src/proxy_solutions.tex

index f6cc307..24c8bae 100644 (file)
@@ -1,15 +1,15 @@
 \usepackage[%
-                shash={ff21d4b},
-                lhash={ff21d4b792b909a75c3cf5be4202e69c1c59812b},
-                authname={Ulrich},
-                authemail={ulrich.poeschl@bmlv.gv.at},
+                shash={daebc60},
+                lhash={daebc6054be597efab924172e6c7afcff217efcd},
+                authname={Aaron Kaplan},
+                authemail={aaron@lo-res.org},
                 authsdate={2013-11-21},
-                authidate={2013-11-21 10:54:09 +0100},
-                authudate={1385027649},
-                commname={Ulrich},
-                commemail={ulrich.poeschl@bmlv.gv.at},
+                authidate={2013-11-21 16:33:43 +0100},
+                authudate={1385048023},
+                commname={Aaron Kaplan},
+                commemail={aaron@lo-res.org},
                 commsdate={2013-11-21},
-                commidate={2013-11-21 10:54:09 +0100},
-                commudate={1385027649},
-                refnames={ (HEAD, master)}
+                commidate={2013-11-21 16:33:43 +0100},
+                commudate={1385048023},
+                refnames={ (HEAD, origin/master, origin/HEAD, master)}
         ]{gitsetinfo}
\ No newline at end of file
index cac0ea3..688f920 100644 (file)
@@ -20,4 +20,6 @@
 \item Factoring as a Service: \url{http://crypto.2013.rump.cr.yp.to/981774ce07e51813fd4466612a78601b.pdf}
 \item Black Ops of TCP/IP 2012: \url{http://dankaminsky.com/2012/08/06/bo2012/}
 \item SSL and the Future of Authenticity, Moxie Marlinspike - Black Hat USA 2011: \url{http://www.youtube.com/watch?v=Z7Wl2FW2TcA}
+\item enisa - Algorithms, Key Sizes and Parameters Report (Oct.'13) \url{http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report}
+
 \end{itemize}
index 6ef9aef..f5e1552 100644 (file)
@@ -737,7 +737,7 @@ Adi?? }
 
 \input{DBs}
 
-\input{proxy_solutions}
+\input{proxy_solutions} 
 
 
 
index 0315e25..dc6157f 100644 (file)
@@ -17,9 +17,35 @@ While the latest solution might be the most "up to date", it arises a new front
 Conclusio: Don't forget to check your proxy solutions ssl-capabilities. Also do so for your reverse-proxies!
 
 \subsubsection{squid}
-\todo{Write}
+
+
+As of squid-3.2.7 (01 Feb 2013) there is support for the OpenSSL NO\_Compression option within squid config (CRIME attack) and if you combine that in the config file, with an enforcement of the server cipher preferences (BEAST Attack) you are safe.
+
+\paragraph*{squid.conf}\mbox{}\\
+squid.conf
+
+\todo{UNTESTED!}
+\begin{lstlisting}[breaklines]
+options=NO_SSLv2,NO_TLSv1,NO_Compression,CIPHER_SERVER_PREFERENCE 
+cipher=ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH [...]
+\end{lstlisting}
+
+
+
+\todo{UNTESTED!}
+\begin{lstlisting}[breaklines]
+options=NO_SSLv2,NO_TLSv1,NO_Compression,CIPHER_SERVER_PREFERENCE 
+cipher=EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA
+\end{lstlisting}
+
+
+
+\paragraph*{squid.conf}\mbox{}\\
+squid.conf
+
 %% http://forum.pfsense.org/index.php?topic=63262.0
 
+\todo{UNTESTED!}
 \begin{lstlisting}[breaklines]
                NO_SSLv2    Disallow the use of SSLv2
                NO_SSLv3    Disallow the use of SSLv3
@@ -31,8 +57,80 @@ Conclusio: Don't forget to check your proxy solutions ssl-capabilities. Also do
                                DH key exchanges
 \end{lstlisting}
 
+\todo{Patch here? Definitely working for 3.2.6!}
+For squid Versions before 3.2.7 use this patch against a vanilla source-tree:
+
+\begin{lstlisting}[breaklines]
+--- support.cc.ini      2013-01-09 02:41:51.000000000 +0100
++++ support.cc  2013-01-21 16:13:32.549383848 +0100
+@@ -400,6 +400,11 @@
+         "NO_TLSv1_2", SSL_OP_NO_TLSv1_2
+     },
+ #endif
++#ifdef SSL_OP_NO_COMPRESSION
++    {
++        "NO_Compression", SSL_OP_NO_COMPRESSION
++    },
++#endif
+     {
+         "", 0
+     },
+\end{lstlisting}
+
+
+
 \subsubsection{Bluecoat}
-\todo{sure?}
+%% https://kb.bluecoat.com/index?page=content&id=KB5549
+\begin{description}
+\item[Tested with Version:] SGOS 6.5.x
+
+BlueCoat Proxy SG Appliances can be used as forward and reverse proxies. The reverse proxy feature is rather under-developed, and while it is possible and supported, there only seems to be limited use of this feature "in the wild" - nonetheless there are a few cipher suites to choose from, when enabling SSL features.
+
+\item[Only allow TLS 1.0,1.1 and 1.2 protocols:] \mbox{}
+
+\begin{lstlisting}[breaklines]
+$conf t
+$(config)ssl
+$(config ssl)edit ssl-device-profile default
+$(config device-profile default)protocol tlsv1 tlsv1.1 tlsv1.2
+  ok
+\end{lstlisting}
+\item[Select your accepted cipher-suites:]
+
+\begin{lstlisting}[breaklines]
+$conf t
+Enter configuration commands, one per line.  End with CTRL-Z.
+$(config)proxy-services
+$(config proxy-services)edit ReverseProxyHighCipher
+$(config ReverseProxyHighCipher)attribute cipher-suite
+Cipher#  Use        Description        Strength
+-------  ---  -----------------------  --------
+      1  yes            AES128-SHA256      High
+      2  yes            AES256-SHA256      High
+      3  yes               AES128-SHA    Medium
+      4  yes               AES256-SHA      High
+      5  yes       DHE-RSA-AES128-SHA      High
+      6  yes       DHE-RSA-AES256-SHA      High
+               [...]
+     13  yes          EXP-RC2-CBC-MD5    Export
+
+Select cipher numbers to use, separated by commas: 2,5,6
+  ok
+\end{lstlisting}
+
+The same protocols are available for forward proxy settings and should be adjusted accordingly:
+In your local policy file add the following section:
+\begin{lstlisting}[breaklines]
+<ssl>
+    DENY server.connection.negotiated_ssl_version=(SSLV2, SSLV3)
+\end{lstlisting}
+
+Disabling protocols and ciphers in a forward proxy environment could lead to unexpected results on certain (misconfigured?) webservers (i.e. ones accepting only SSLv2/3 protocol connections)
+
+\end{description} 
+
+
+
 
 \subsubsection{Pound}
 % See http://www.apsis.ch/pound