[squid-users] Squid 4: Cloudflare SSL connection problem
Yuri Voinov
yvoinov at gmail.com
Mon Apr 18 16:37:40 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
18.04.16 22:11, Guy Helmer пишет:
>
>> On Apr 17, 2016, at 5:50 AM, Yuri Voinov <yvoinov at gmail.com> wrote:
>>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> *NIX means UNIX. Solaris is AT&T UNIX. Linux is not UNIX (C) Linus
Torvalds. :) We are not speaking about all possible OS'es. I suggests
the matter in SSL/TLS, not OS or hands or something similar.
>>
>> The problem is in CF, I think. As a maximum in peek-n-splice.
>>
>>
>> Because of I've not changed my squid.conf over last year, but approx.
in january 2016 CloudFlare stopped work via proxy, as said my field SA.
AFAIK, CF change own security settings. Also, I suggests, mozilla .org
also moved behind CF.
>>
>> Ok, let's talk about squid.conf. SSL-related rows are here:
>>
>> # SSL bump rules
>> acl DiscoverSNIHost at_step SslBump1
>> acl NoSSLIntercept ssl::server_name_regex -i
"/usr/local/squid/etc/url.nobump"
>> acl NoSSLIntercept ssl::server_name_regex -i
"/usr/local/squid/etc/url.tor"
>> ssl_bump peek DiscoverSNIHost
>> ssl_bump splice NoSSLIntercept
>> ssl_bump bump all
>>
>> http_port 3126 intercept
>> https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
key=/usr/local/squid/etc/rootCA.key
options=SINGLE_DH_USE,SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>> http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
key=/usr/local/squid/etc/rootCA.key
options=SINGLE_DH_USE,SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>> tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt
options=SINGLE_DH_USE,SINGLE_ECDH_USE
cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>> sslproxy_foreign_intermediate_certs
/usr/local/squid/etc/intermediate_ca.pem
>> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
>>
>> I see no anomalies in this lines. Ciphersuite is very relaxed.
>>
>> Also, if we discuss a bug - may be better to turn on debug to know,
why 4.x got first NONE_ABORTED/200 during CONNECT phase and then
NONE/503 during TLS negotiate?
>
> Hi, Yuri,
>
> If I understand correctly, the issue is between squid and the origin
proxy. In case it would help, have you enabled ECDH sslproxy_options or
sslproxy_cipher settings in this snippet that would enable Squid to use
ECDH when talking to the origin servers?
As you can see above - yes, ECDH enabled, and I've checked it via Qualys
SSL Labs - Projects / SSL Client Test
<https://www.ssllabs.com/ssltest/viewMyClient.html>. Also another sites
utilize ECDH with this setup like sharm.
>
>
> Do you happen to have a packet capture between your squid server and a
CloudFlare server that could help diagnose the TLS protocol’s problem?
Not now. First this issue occurs onto production environment, which has
own DMZ and heavy enough traffic from a few dozen customers. Some
difficults to isolate one transaction with sniffing.
>
>
> Regards,
> Guy
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXFQ1UAAoJENNXIZxhPexGEJYH/jkPrxiY9ztyltmoXJLeYsMy
YxuGgtFWyW96Z8HZ1Zf9BzucDGAvUdfTLnvZb/4dh22bs+COQbX2s53RcSqGAJaP
CVfRG4AgU+R8AUNA9nLxAbM4NQM4EAbB16ZsF8jeyZzJXPiRjozLtDjo1vMslJtV
791L5gn//izooJAlLMNKxoSy37RniEcaRLnuol+xVb4jqfx3nWo4lQzWnS2cXe5k
YFIb4X8uTEo6lgH8Ld8FHQYRq6KZz11TZbQ+ft5CKFY5pqNqLP+Cjrq1bgTUgKVK
WA0F96GR9IECDe4pWCPXnX2bijTax5nY9NNs/rA1Pawch4j4ZyUY2I/M9ngI6RU=
=Y/pM
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160418/a774afef/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160418/a774afef/attachment-0001.key>
More information about the squid-users
mailing list