[squid-users] Squid 4: Cloudflare SSL connection problem

Yuri Voinov yvoinov at gmail.com
Thu Apr 14 18:31:43 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Ok, nobody.

Well.

I've done my own research.

My suggestions:

CloudFlare now uses it's own custom OpenSSL 1.0.2 with very custom
patches with CHACHA Poly support.

This patches is not in upstream. Moreover, OpenSSL team no plans in the
foreseeable future to support the latest ciphers.

So, Squid 4 can't handshake TLS with CF right now. Possible it is Squid
4.x branch bug. Because of 3.5.x does CF handshake.

LibreSSL does CHACHA right now.

The question is:

Amos, does Squid can support LibreSSL and, if no, when you plan to support?

14.04.16 20:38, Yuri Voinov пишет:
>
> Any ideas?
>
> Anybody?
>
> 13.04.16 2:37, Yuri Voinov пишет:
>
>
>       > I suggests the matter can be openssl not OS:
>
>
>
>       > root @ cthulhu /patch # openssl version -a
>
>       > OpenSSL 1.0.1s  1 Mar 2016
>
>       > built on: Tue Mar  1 15:42:26 2016
>
>       > platform: solaris64-x86_64-cc-sunw
>
>       > options:  bn(64,64) rc4(16x,int) des(ptr,cisc,16,int)
>       idea(int) blowfish(ptr)
>
>       > compiler: /opt/solarisstudio12.4/bin/cc -I. -I..
>       -I../include  -KPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
>       -DDSO_DLFCN -DHAVE_DLFCN_H
>       -DPK11_LIB_LOCATION="/usr/lib/64/libpkcs11.so" -DHAVE_ISSETUGID
>       -DAV_SPARC_FJAES=0 -xO3 -m64 -xstrconst -Xa -DL_ENDIAN
>       -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
>       -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
>       -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
>       -DGHASH_ASM
>
>       > OPENSSLDIR: "/etc/opt/csw/ssl"
>
>
>
>
>
>       > 13.04.16 2:29, Yuri Voinov пишет:
>
>
>
>
>
>       >       > root @ cthulhu /patch # dig www.cloudflare.com
>
>
>
>
>
>
>
>       >       > ; <<>> DiG 9.6-ESV-R11-P4
>       <<>>
>
>       >       www.cloudflare.com
>
>
>
>       >       > ;; global options: +cmd
>
>
>
>       >       > ;; Got answer:
>
>
>
>       >       > ;; ->>HEADER<<- opcode: QUERY, status:
>       NOERROR,
>
>       >       id: 32548
>
>
>
>       >       > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2,
>       AUTHORITY: 0,
>
>       >       ADDITIONAL: 0
>
>
>
>
>
>
>
>       >       > ;; QUESTION SECTION:
>
>
>
>       >       > ;www.cloudflare.com.            IN      A
>
>
>
>
>
>
>
>       >       > ;; ANSWER SECTION:
>
>
>
>       >       > www.cloudflare.com.     86400   IN      A     
>
>       >       198.41.214.162
>
>
>
>       >       > www.cloudflare.com.     86400   IN      A     
>
>       >       198.41.215.162
>
>
>
>
>
>
>
>       >       > ;; Query time: 538 msec
>
>
>
>       >       > ;; SERVER: 127.0.0.1#53(127.0.0.1)
>
>
>
>       >       > ;; WHEN: Wed Apr 13 02:28:34 ALMT 2016
>
>
>
>       >       > ;; MSG SIZE  rcvd: 68
>
>
>
>
>
>
>
>       >       > root @ cthulhu /patch # uname -a
>
>
>
>       >       > SunOS cthulhu 5.10 Generic_150401-30 i86pc i386
>       i86pc Solaris
>
>
>
>
>
>
>
>       >       > But I think OS does not matter here.
>
>
>
>
>
>
>
>       >       > 13.04.16 2:02, Eliezer Croitoru пишет:
>
>
>
>       >       > > What "dig www.cloudflare.com"
>
>
>
>       >       >       results with?
>
>
>
>
>
>
>
>       >       >       > Also what OS are you using? I am using
>       CentOS 7 up
>
>       >       to date...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       >       >       > Eliezer
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       >       >       > On 12/04/2016 21:39, Yuri Voinov wrote:
>
>
>
>
>
>
>
>       >       >       >> root @ cthulhu /patch # openssl
>       s_client
>
>       >       -cipher
>
>
>
>       >       >       'ECDHE-ECDSA-AES128-GCM-SHA256' -connect
>
>       >       www.cloudflare.com:443
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       >       >       >
>       _______________________________________________
>
>
>
>
>
>
>
>       >       >       > squid-users mailing list
>
>
>
>
>
>
>
>       >       >       > squid-users at lists.squid-cache.org
>
>
>
>
>
>
>
>       >       >       >
>       http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
>
>
>
>
>
>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXD+IPAAoJENNXIZxhPexGhe4IAIdg3PLM/s5YxkP822HNwDA2
fbHLf9XcWe6koYNMMuHJ1NgN4thr5KtXEuQZBTno5TYFlce9P8PaXnnZCPD/xOjM
Bs+J705QG5tqDy5d7EYk606wiefXa8IuifLY0gQnZYjz0pM+CneJw8zVK47VrRwl
jUr/aohgAXuGfUcFMQyX/Jxc/mHHOdC2Pyd1R0qkw93r5LbppDQ5vuS/Hm2clTtt
bSIjFcPv7Ug+kNYp47g6WIoYjbBK7BPpWoolJMIf9p0sF7Scq7RCo30aViWBOcKh
TjVjZdwwTypW0tyLb89D2OKc1ieDVSk6HKcL+Ed1V0TMg2AakXmkXurRR73WP+o=
=umi3
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160415/d3ea5f78/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160415/d3ea5f78/attachment.key>


More information about the squid-users mailing list