[squid-users] Squid 4: Cloudflare SSL connection problem

Guy Helmer guy.helmer at gmail.com
Mon Apr 18 16:11:39 UTC 2016 

> On Apr 17, 2016, at 5:50 AM, Yuri Voinov <yvoinov at gmail.com> wrote:
> 
> 
> -----BEGIN PGP SIGNED MESSAGE----- 
> Hash: SHA256 
>  
> *NIX means UNIX. Solaris is AT&T UNIX. Linux is not UNIX (C) Linus Torvalds. :) We are not speaking about all possible OS'es. I suggests the matter in SSL/TLS, not OS or hands or something similar.
> 
> The problem is in CF, I think. As a maximum in peek-n-splice.
> 
> 
> Because of I've not changed my squid.conf over last year, but approx. in january 2016 CloudFlare stopped work via proxy, as said my field SA. AFAIK, CF change own security settings. Also, I suggests, mozilla .org also moved behind CF.
> 
> Ok, let's talk about squid.conf. SSL-related rows are here:
> 
> # SSL bump rules
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/squid/etc/url.nobump"
> acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/squid/etc/url.tor"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
> 
> http_port 3126 intercept
> https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt options=SINGLE_DH_USE,SINGLE_ECDH_USE cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> sslproxy_foreign_intermediate_certs /usr/local/squid/etc/intermediate_ca.pem
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
> 
> I see no anomalies in this lines. Ciphersuite is very relaxed.
> 
> Also, if we discuss a bug - may be better to turn on debug to know, why 4.x got first NONE_ABORTED/200 during CONNECT phase and then NONE/503 during TLS negotiate?

Hi, Yuri,

If I understand correctly, the issue is between squid and the origin proxy. In case it would help, have you enabled ECDH sslproxy_options or sslproxy_cipher settings in this snippet that would enable Squid to use ECDH when talking to the origin servers?

Do you happen to have a packet capture between your squid server and a CloudFlare server that could help diagnose the TLS protocol’s problem?

Regards,
Guy

More information about the squid-users mailing list