[squid-users] Squid 3.5 Forward Secrecy on https_port

dweimer dweimer at dweimer.net
Wed Aug 12 20:38:10 UTC 2015 

On 2015-08-12 3:22 pm, dweimer wrote:
> I am trying to see if I have found another Squid 3.5.x issue with
> FreeBSD 10, or if I just have something set wrong on my https_port
> settings.
> 
> The server I am testing with is currently running FreeBSD 10.2-RC3,
> with Squid 3.5.7, and LibreSSL 2.2.2. The Apache 2.4.16 server behind
> squid is using the same cipher list settings, and the same LibreSSL
> 2.2.2 library, and the same certificate file.
> 
> Here is the squid https_port line.
> 
> https_port 443 accel defaultsite=www.dweimer.net \
>  cert=/common/GoDaddy.Cert/dweimer.net.gd.bundle.crt \
>  key=/common/GoDaddy.Cert/dweimer.net.key \
>  options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
>  dhparams=dh.params \
>  cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4 \
>  vhost

Update, server wasn't finding the dh.params file
dhparams=/usr/local/etc/squid/dh.params

> Apache SSL Configuration
> SSLHonorCipherOrder On
> SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
> SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4
> SSLCertificateFile "/common/GoDaddy.Cert/dweimer.net.gd.bundle.crt"
> SSLCertificateKeyFile "/common/GoDaddy.Cert/dweimer.net.key"
> 
> Apache test:
> openssl s_client -tlsv1_2 -connect 192.168.5.2:443
> ...
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-CHACHA20-POLY1305
> ...
> 
> Squid test:
> openssl s_client -tlsv1_2 -connect 192.168.5.2:443
> ...

Update: New, TLSv1/SSLv3, Cipher is DHE-RSA-CHACHA20-POLY1305

> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2

Update:    Cipher    : DHE-RSA-CHACHA20-POLY1305

> ...
> 
> Squid Test with cipher from Apache specified:
> openssl s_client -tls1_2 -cipher ECDHE-RSA-CHACHA20-POLY1305 -connect
> 192.168.5.3:443
> CONNECTED(00000003)
> 34381405160:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
> handshake failure:s3_pkt.c:1133:SSL alert number 40
> 34381405160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:522:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 0 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : 0000
> ...
> 
> Squid does however use this cipher when connecting to the Apache
> server, even though the client isn't using a forward secrecy capable
> cipher (TLS_RSA_WITH_AES_256_CBC_SHA TLS1.2 reported by Firefox),
> determined by using a script with the PHP $_SERVER predefined variable
> connected through the reverse proxy.
> SERVER_PROTOCOL  HTTP/1.1
> SERVER_SOFTWARE  Apache/2.4.16 (FreeBSD) LibreSSL/2.2.2 SVN/1.8.14 
> PHP/5.6.11
> SSL_CIPHER       ECDHE-RSA-CHACHA20-POLY1305
> 
> Does anyone see something missing in my https_port configuration that
> is causing it to not use the ECDHE keys?

I made some updates above, the dh.params file wasn't being found, 
changed that line to use full path, and its now use DHE ciphers, but not 
ECDHE ciphers.

-- 
Thanks,
    Dean E. Weimer
    http://www.dweimer.net/

More information about the squid-users mailing list