[squid-users] Squid 4: Cloudflare SSL connection problem
Yuri Voinov
yvoinov at gmail.com
Tue Apr 12 18:39:18 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
My openssl test show the next Cloudflare cipher:
ECDHE-ECDSA-AES128-GCM-SHA256
So, result is:
root @ cthulhu /patch # openssl s_client -cipher
'ECDHE-ECDSA-AES128-GCM-SHA256' -connect www.cloudflare.com:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = COMODO ECC Extended Validation Secure Server CA
verify return:1
depth=0 serialNumber = 4710875, 1.3.6.1.4.1.311.60.2.1.3 = US,
1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private
Organization, C = US, postalCode = 94107, ST = California, L = San
Francisco, street = "655 Third Street, Suite 200", O = "CloudFlare,
Inc.", OU = COMODO EV Multi-Domain SSL
verify return:1
- ---
Certificate chain
0
s:/serialNumber=4710875/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
Organization/C=US/postalCode=94107/ST=California/L=San
Francisco/street=655 Third Street, Suite 200/O=CloudFlare,
Inc./OU=COMODO EV Multi-Domain SSL
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
ECC Extended Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
ECC Extended Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
ECC Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
ECC Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
- ---
Server certificate
- -----BEGIN CERTIFICATE-----
MIIFiTCCBS+gAwIBAgIQBmy2JcYivinKaUJSCKGtKDAKBggqhkjOPQQDAjCBkjEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxODA2BgNVBAMT
L0NPTU9ETyBFQ0MgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTE1MTIwMTAwMDAwMFoXDTE2MTEzMDIzNTk1OVowggERMRAwDgYDVQQFEwc0
NzEwODc1MRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERl
bGF3YXJlMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMC
VVMxDjAMBgNVBBETBTk0MTA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMSQwIgYDVQQJExs2NTUgVGhpcmQgU3RyZWV0LCBTdWl0
ZSAyMDAxGTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xIzAhBgNVBAsTGkNPTU9E
TyBFViBNdWx0aS1Eb21haW4gU1NMMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
mPbUxrSaUGUh0fWajjE6zyy35uwYkOwNOKll7E0jKcJvxJLR9IC2ySQduynfb2Mo
t5+rzrL5k3RWt7ZCMDsyWaOCAuMwggLfMB8GA1UdIwQYMBaAFNNOwxm6WFnRHGC3
YVNHO6d3j/iKMB0GA1UdDgQWBBT/eDUPVHJ3p6neXJv8NVND7rkLIDAOBgNVHQ8B
Af8EBAMCBYAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBBQEwKzApBggrBgEFBQcCARYd
aHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwVgYDVR0fBE8wTTBLoEmgR4ZF
aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPRUNDRXh0ZW5kZWRWYWxpZGF0
aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGHBggrBgEFBQcBAQR7MHkwUQYIKwYBBQUH
MAKGRWh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0VDQ0V4dGVuZGVkVmFs
aWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29j
c3AuY29tb2RvY2EuY29tMC0GA1UdEQQmMCSCDmNsb3VkZmxhcmUuY29tghJ3d3cu
Y2xvdWRmbGFyZS5jb20wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgBo9pj4H2SC
vjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVFfF/KGAAAEAwBHMEUCIQCYn9hT
zH7HDl8ssKN1YWXtk09MEMbNCAgONEM33Orv6gIgH99BJXaehbgEQmEBW7372nPv
x3/hqhO9svDabmNm1vIAdwBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ
3QAAAVFfF++7AAAEAwBIMEYCIQDlr9Q35uiX37IciNrb8I3lSIKAEB73zB0YMPVl
TSl/yQIhAMCcle0L3Gu11iud65NFRogfrOmk9mtuW3ruf5Mt63D5MAoGCCqGSM49
BAMCA0gAMEUCIQDuxJ4FoYrW0fnaNkRajRSwqKcXb8XpV1dYklpVVGxQOgIgRA96
apf7bQLXWdoGLBJg0M7sRB1Bv9Fh+MIzLKhn5lg=
- -----END CERTIFICATE-----
subject=/serialNumber=4710875/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
Organization/C=US/postalCode=94107/ST=California/L=San
Francisco/street=655 Third Street, Suite 200/O=CloudFlare,
Inc./OU=COMODO EV Multi-Domain SSL
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Extended Validation Secure Server CA
- ---
No client certificate CA names sent
- ---
SSL handshake has read 3826 bytes and written 289 bytes
- ---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID:
46639E396A6540A888C8A9B1994C744D03810678A4F95951A5BBA293DD4BE284
Session-ID-ctx:
Master-Key:
26F7F58D4913230F3F93872E2E7390C7D762CDC3E46FC5AAA300866F316ED5A283A813DAFF738457C5B8F5E1340CC156
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - 94 71 18 10 6e 8b 7b d3-b1 a7 d9 d7 65 8f a6 ea
.q..n.{.....e...
0010 - 45 fa 1b f8 c7 9b 94 a3-64 95 e7 15 c7 98 04 27
E.......d......'
0020 - 09 bf 36 7e db f3 ab 82-17 21 f4 2b 26 13 79 94
..6~.....!.+&.y.
0030 - ce e7 30 7f c1 c2 3b 65-7e 76 28 46 d2 46 f3 8d
..0...;e~v(F.F..
0040 - 5a 54 2f 70 71 53 7a fd-fb 44 e0 df 4c 46 96 99
ZT/pqSz..D..LF..
0050 - e7 63 c9 93 eb 34 32 0a-b4 af 6a db c1 f0 5d 10
.c...42...j...].
0060 - 5e c3 af 9e 16 59 32 8c-b0 fb 8e cc 9a 48 8e 6a
^....Y2......H.j
0070 - 8d ee 85 5d d3 26 9d b1-96 32 ff 78 cb 93 3a ec
...].&...2.x..:.
0080 - 9c 5c bd c5 6c 24 93 d6-ad 0a c3 4e 86 a2 e6 28
.\..l$.....N...(
0090 - 8c b1 a9 55 f0 01 6d ab-a2 44 52 b3 37 d6 9e 5a
...U..m..DR.7..Z
00a0 - 0c b8 1d 5b 6d 10 13 db-31 2b 4c 1a e4 46 36 84
...[m...1+L..F6.
Start Time: 1460486320
Timeout : 300 (sec)
Verify return code: 0 (ok)
- ---
13.04.16 0:19, Eliezer Croitoru пишет:
> Hey Yuri,
>
> I will try to test it with couple versions of 4.0.x.
> But it's weird...
> The reason it's weird is since some kind of trust or understand this test:
>
https://www.ssllabs.com/ssltest/analyze.html?d=www.cloudflare.com&s=198.41.214.162&latest
>
> I am not an SSL expert in general but I can use openssl client to test
and verify things.
> I have tested this scenario with openssl like this:
> # openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect
www.cloudflare.com:443
> CONNECTED(00000003)
> 139990857013152:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:744:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 119 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
>
> And it seems that openssl does something which might be my fault but
if squid 3.5.16 works fine with it and 4.0.8 it might be connected to
the connection between openssl library to the service and squid only
displays the issue in the nice html page.
> I do not know what service cloudflare uses and how it all works but if
openssl states that there is an issue with what the service is either
sending or itself analyzing then the issue is in the openssl level
rather then squid.
>
> I am sure that both cloudflare and openssl and squid users, admins and
devs wants to resolve the issue.
>
> Eliezer
>
> On 12/04/2016 18:29, Yuri Voinov wrote:
>>
> UPDATE:
>
> Every failed connect produce the next sequence in access.log:
>
> 1460474791.631 15444 192.168.100.103 NONE_ABORTED/200 0 CONNECT
198.41.215.162:443 - ORIGINAL_DST/198.41.215.162 -
> 1460474791.658 0 192.168.100.103 NONE/503 3951 GET
https://www.cloudflare.com/* - HIER_NONE/- text/html
>
> Note: 198.41.215.162 is current cloudflare.com IP.
>
> Also: NONE_ABORTED/200 is often occurs in access.log with another
accessible sites.
>
> 12.04.16 20:03, Yuri Voinov пишет:
>
>
> > UPDATE:
>
>
>
> > https://i1.someimage.com/b8w5dFz.png
>
>
>
> > This is answer from Cloudflare support.
>
>
>
> > But: 3.5.16 can deal with ECDSA TLS 1.2 but 4.0.8 not?
>
>
>
> > 12.04.16 17:55, Yuri Voinov пишет:
>
> > > Does anybody faces this problem with 4.0.8:
>
>
>
> > > https://i1.someimage.com/3lD2cvV.png
>
>
>
> > > ?
>
>
>
> > > It accomplished this error in cache.log:
>
>
>
> > > 2016/04/12 17:39:38 kid1| Error negotiating SSL on FD
> 54:
>
> > error:00000000:lib(0):func(0):reason(0) (5/0/0)
>
>
>
> > > and "NONE/503" in access.log.
>
>
>
> > > Without proxy works like sharm. 3.5.16 with the similar
> squid.conf
>
> > works like sharm.
>
>
>
> > > NB: Cloudflare support said, that they key feature for
> SSL is SNI and
>
> > ECDSA now. AFAIK, 4.0.8 is fully supports this features.
>
>
>
> > > Any advice will be helpful.
>
>
>
> > > Yes, I know this looks like DDoS protection on
> Cloudflare. But WTF?
>
> > Any workaround required. Half-Internet is hosted on
> Cloudflare.
>
>
>
> > > WBR, Yuri
>
>
>
>
>
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXDUDWAAoJENNXIZxhPexGKC8IAMyl3KxLSB89wgvI8THpMgAH
MKyv6PiSOk6IyXc3w0bbk/H6CpbJZZReOA7HWX8uUNy2zfzq/KGZsOUFpuC1WCR+
J7DbGDWjQbPm8BiYPLOtfziY/yvCiON7N0Iw9VTfu8JmjZ/1Dkn+PLMhphNWxZ0K
gCKukIl8/RQcy8VPSntVriKD43kEsSR854GbJq57DfUgZbBGmo7IKCRepHpijjyj
0GyVtwhI24rgMRasmoOIr6QK6x6+zom3RkusZCQs3u0U1vpqHI70R9eiPbORgiYS
mkX9CQtN6rOlZtDgtZ7ZFuSzO2TWSTRAYBXArdov4CsWjTP+YsxT9TJ5cLhKopk=
=IoWl
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160413/263ff375/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160413/263ff375/attachment-0001.key>
More information about the squid-users
mailing list