[squid-users] Squid 4: Cloudflare SSL connection problem
Yuri Voinov
yvoinov at gmail.com
Sat Apr 16 16:50:36 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
3.5.16 on *NIX is also has this issue.
Only 3.5.16 Win64 is works like sharm.
16.04.16 17:18, Yuri Voinov пишет:
> mozilla.org now has the same issue on Squid 4 like CloudFlare:
>
> https://i1.someimage.com/P03GmSY.png
>
> All ok but handshake does not complete:
>
> root @ cthulhu / # /usr/local/bin/openssl s_client -connect
mozilla.org:443 -CApath /etc/ope/csw/ssl/certs
> CONNECTED(00000003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
High Assurance EV Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
High Assurance EV CA-1
> verify return:1
> depth=0 businessCategory = Private Organization,
1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = California,
serialNumber = C2543436, street = 650 Castro St Ste 300, postalCode =
94041, C = US, ST = California, L = Mountain View, O = Mozilla
Foundation, CN = www.mozilla.org
> verify return:1
> ---
> Certificate chain
> 0 s:/businessCategory=Private
Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650
Castro St Ste 300/postalCode=94041/C=US/ST=California/L=Mountain
View/O=Mozilla Foundation/CN=www.mozilla.org
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV CA-1
> 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV CA-1
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV Root CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIHWTCCBkGgAwIBAgIQBQ5gs8e9nTbV62rD+8G95jANBgkqhkiG9w0BAQUFADBp
> MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
> d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j
> ZSBFViBDQS0xMB4XDTE1MTEyNDAwMDAwMFoXDTE2MTIyOTEyMDAwMFowggEFMR0w
> GwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJV
> UzEbMBkGCysGAQQBgjc8AgECEwpDYWxpZm9ybmlhMREwDwYDVQQFEwhDMjU0MzQz
> NjEeMBwGA1UECRMVNjUwIENhc3RybyBTdCBTdGUgMzAwMQ4wDAYDVQQREwU5NDA0
> MTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v
> dW50YWluIFZpZXcxGzAZBgNVBAoTEk1vemlsbGEgRm91bmRhdGlvbjEYMBYGA1UE
> AxMPd3d3Lm1vemlsbGEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
> AQEAuHHB4NGHII28Vm4WrSFjZN5YM0bEBuVbPcwbwBAEinRe9Iwwwye359vVs24o
> 5YRnSkjkJYfrXHEb8f836GXBotN1xcxsrOi7brTJcA4qeE5ntby6V6wdlxKEy5mt
> 2Fd9P7wl9v1UlXmHyFxpF9UlDDoSuiDGUO+Q0U9lipKOrKoA3Q1Uzp/ntwrZL01B
> V4AUgTQf6b1HLu3ZD8CUG9xrq4Isi4OIMaJQX+kVwrQqxLe3Ahmjq9uP2iXAiLf7
> aVluTyFgfAfvv1/pf0193zgQoe0oGDReh5/QrbO6j+XtV2sHDnDen+mQO2/GNwET
> fQPCIKIroGf4JUnftt7Cwz1KmQIDAQABo4IDXTCCA1kwHwYDVR0jBBgwFoAUTFjL
> JfBBT1L0KMiBQ5umqKDmkuUwHQYDVR0OBBYEFIPU1A81pLqLvmE3YsGWDTbHxzc5
> MCcGA1UdEQQgMB6CD3d3dy5tb3ppbGxhLm9yZ4ILbW96aWxsYS5vcmcwDgYDVR0P
> AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBjBgNVHR8E
> XDBaMCugKaAnhiVodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vZXZjYTEtZzUuY3Js
> MCugKaAnhiVodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vZXZjYTEtZzUuY3JsMEsG
> A1UdIAREMEIwNwYJYIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
> LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQEwfQYIKwYBBQUHAQEEcTBvMCQGCCsG
> AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRwYIKwYBBQUHMAKGO2h0
> dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VF
> VkNBLTEuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoB
> aAB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABUTfFoGwAAAQD
> AEcwRQIgPZSqJS9xxOfr4sFkB73ocAWRnHK4/fgEkIvVubEtLwkCIQDIXB59Y1A4
> SgdJPmwIeRXjshq7jkmz7mgc0Nap53UG2AB2AGj2mPgfZIK+OozuuSgdTPxxUV1n
> k9RE0QpnrLtPT/vEAAABUTfFoJ0AAAQDAEcwRQIgUGvntxlKFSY7iveb6BCCdGhs
> 28DU5EF1TcFH4DHAnX0CIQDstuSiKY0gs3YJ6x4S+GOxuK7V/8zEhNF7vEYADCPX
> 6QB2AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABUTfFoVUAAAQD
> AEcwRQIhAInj1bkZoUGmg39jrIN0z9tAmjPPc39UW3X/xP49q3C1AiBLG+iv0BKe
> sbUPcoFF6DYlr+rp7fbplMYNT60UnVAlrTANBgkqhkiG9w0BAQUFAAOCAQEAvc7m
> sTP08cANcDPsPyEKXAvv9CW1ugYLUK4XC/JylqCiluDYbgazfjRTraTbDNlmXk+Y
> SEVBFGJX005hIhn/qztA/+p2XEcnMJWy1cyCflxdQKWn51XGhN1jlTAa31Ps7WI/
> YPAL2taqn5EBDtUFT5790/ve09Fnyhh6elnXuy9ujJRCuVn+oXTtKlhVrIjEjzZ9
> zFyyv3SaTWX9xb9MBfOPaO6cGihHjhAo4mj3X6fJsvEnNGqs/NJXCpwiprjbidjL
> yeKPUhN2/hSSDAmzFd4X+B1Xx7cUXWkJHQrfosFSoiRDYmX/JnAgr0ObibjKuWPV
> 9Rs6HCB6QKS3grfX/w==
> -----END CERTIFICATE-----
> subject=/businessCategory=Private
Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650
Castro St Ste 300/postalCode=94041/C=US/ST=California/L=Mountain
View/O=Mozilla Foundation/CN=www.mozilla.org
> issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV CA-1
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 4163 bytes and written 446 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES128-GCM-SHA256
> Session-ID:
E32E470329327A2E39ADDEB384FBB9D351103F1BBA798A47EBFFF121C5001CCA
> Session-ID-ctx:
> Master-Key:
D2C6E671DB649951C999E1DF83DC038852215500C57F81E4660AFB7ED96039C76E8A384F3ED78A44BBD129C56DD6F45B
> Start Time: 1460805325
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
> access.log also got NONE/503:
>
> 1460805179.734 0 192.168.100.103 NONE/503 3944 GET
https://www.mozilla.org/favicon.ico - HIER_NONE/- text/html
>
> and cache.log:
>
> 2016/04/16 17:12:59 kid1| Error negotiating SSL on FD 56:
error:00000000:lib(0):func(0):reason(0) (5/0/0)
>
> 15.04.16 15:17, Amos Jeffries пишет:
>> On 15/04/2016 6:31 a.m., Yuri Voinov wrote:
>>> Ok, nobody.
>>>
>>> Well.
>>>
>>> I've done my own research.
>>>
>>> My suggestions:
>>>
>>> CloudFlare now uses it's own custom OpenSSL 1.0.2 with very custom
>>> patches with CHACHA Poly support.
>>>
>>> This patches is not in upstream. Moreover, OpenSSL team no plans in the
>>> foreseeable future to support the latest ciphers.
>>>
>>> So, Squid 4 can't handshake TLS with CF right now. Possible it is Squid
>>> 4.x branch bug. Because of 3.5.x does CF handshake.
>>>
>>> LibreSSL does CHACHA right now.
>>>
>>> The question is:
>>>
>>> Amos, does Squid can support LibreSSL and, if no, when you plan to
support?
>> Yes Squid does support LibreSSL. You can build against it with the
>> --with-openssl configure option, maybe using a =path parameter to ensure
>> it dont find an OpenSSL install.
>>
>> The difference between LibreSSL and OpenSSL is likely to be more visible
>> in the squid.conf settings that it will accept and those that it
>> rejects. They are still basically the same but I know that the LibreSSL
>> guys are being very proactive removing old things like SSLv2 support. So
>> those config options wont work even when Squid-3.5 normally would
>> accepts them with OpenSSL.
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXEm1cAAoJENNXIZxhPexGWV8IALf6vko/r2iYJzwqnubial+w
JBgJQrZHnVLxXHhDJjBEwiJjQtFwZz61drJ60a6mV4TJn6VS1D0pFSbLkdiatUpG
jmWMKq5axZd4rWtH4H8ukF1l849hA1+GQ8Y/N586NMXcRmRBbhfG9vd312Y2i6cv
ShQLg5v5YIW5OS9SFGVY/8rV6njBhvBn+N0RSoXRgOSow3NT9oMihjDmU0ZHIh7o
uM/3dWG02xJej5yjF3ewNUOLIBIvl10HvDumG3AdhA+9h+1lf+ycZ2HzSui0P185
dFlVo4foVam+vBF9TIY2AKVgOTFltkE597PxS6W+WcC1MUBhDOlnz8AU90Bpb64=
=Mekx
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160416/9ea90314/attachment-0001.key>
More information about the squid-users
mailing list