[squid-users] handshake problems with stare and bump

Marc gaardiolor at gmail.com
Wed Oct 5 16:30:31 UTC 2016


Hi,

Thanks for the replies. I've figured out more details. First, my
assumption that sslproxy_cipher was ignored in my setup was incorrect.
I confused it with what I've read about sslproxy_options on
http://bazaar.launchpad.net/~yadi/squid/warnings/revision/13928 .
Thanks Yuri for making me come to that conclusion. So I've put in
'sslproxy_cipher ALL' (just for troubleshooting purposes..). After
that, previously mentioned test 1 works on the linux client, however,
the iphone app still does not. So I went on and did more tests.

First, the iphone uses more then one cipher. I'll start with curl,
using TLS1.0 like the app.

3) curl --insecure --tlsv1.0 https://www.google.com
SQUID_ERR_SSL_HANDSHAKE. So with the default ciphers curl using tls
1.0 also breaks.

4) curl --insecure --tlsv1.0 --ciphers rsa_3des_sha https://www.google.com
Works. So using one cipher 'fixes' it.. just like we saw using openssl
s_client. Back to openssl s_client, default ciphers.

5) echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n" | openssl
s_client -quiet -connect www.google.com:443 -tls1
SQUID_ERR_SSL_HANDSHAKE. Also here, using more ciphers generates an error.

6) echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n" | openssl
s_client -quiet -connect www.google.com:443 -tls1_1
SQUID_ERR_SSL_HANDSHAKE. TLS 1.1 does not help.

7) echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n" | openssl
s_client -quiet -connect www.google.com:443 -tls1_2
This works! When using TLS 1.2, we do not have this problem. Note that
compared to the previous 2 tests we have an extra TLS security
extension in the Client Hello, signature_algorithms. Now more tests
with TLS 1.0.

8) Firefox with TLS 1.0 (security.tls.version.max = 1).
Works. But.. Firefox is also using multiple ciphers. Hmm. Firefox also
uses a whole bunch of TLS Extensions with TLS 1.0. Back to openssl and
focus on extensions.

9) echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n" | openssl
s_client -quiet -connect www.google.com:443 -tls1 -servername
www.google.com
SQUID_ERR_SSL_HANDSHAKE. Adding the server_name extension doesn't
help. Now let's try to add other TLS extensions. Since openssl didn't
want to play along I started with a fake one, 33554.

10) echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n" | openssl
s_client -quiet -connect www.google.com:443 -tls1 -servername
www.google.com -serverinfo 33554
This works! Removing SNI, keeping the fake extension:

11) echo -e "GET / HTTP/1.1\nHost: www.google.com\n\n" | openssl
s_client -quiet -connect www.google.com:443 -tls1 -serverinfo 33554
Also works. Adding other extensions instead of the fake one also works.

So yeah.. I'm still confused.
- If TLS v1.0 or TLS v1.1, and more then one cipher, and not some
seemingly random extension then error. TLS v1.2 seems to work, maybe
just because the extra extension signature_algorithms, no idea.
- Squid forwards ciphers in the Client Hello to the webserver, except
for some CHACHA20 ones that are filtered out. Squid should make it's
own decision though when using stare right ? Squid does upgrade the
TLS version.

Should I report 2 bugs and/or attach debug logging ? I'll try test
with squid4 later this week. It doesn't want to compile on FC24 for
some reason.. while my gcc has c11 support. Have to dive into it..
unless someone has tips.

#######
# /usr/bin/g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib
-I../../src -I../../include -I../../libltdl -Wall -Wpointer-arith
-Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror
-Wno-deprecated-register -pipe -D_REENTRANT -g -O2 -march=native -MT
Handshake.lo -MD -MP -MF .deps/Handshake.Tpo -c Handshake.cc -o
Handshake.o
Handshake.cc: In member function ‘void
Security::HandshakeParser::parseServerCertificates(const SBuf&)’:
Handshake.cc:560:31: error: ‘cert’ may be used uninitialized in this
function [-Werror=maybe-uninitialized]
         Security::CertPointer cert;
                               ^~~~
At global scope:
cc1plus: error: unrecognized command line option
‘-Wno-deprecated-register’ [-Werror]
cc1plus: all warnings being treated as errors

# g++ --version
g++ (GCC) 6.2.1 20160916 (Red Hat 6.2.1-2)
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/6.2.1/lto-wrapper
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap
--enable-languages=c,c++,objc,obj-c++,fortran,ada,go,lto --prefix=/usr
--mandir=/usr/share/man --infodir=/usr/share/info
--with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared
--enable-threads=posix --enable-checking=release --enable-multilib
--with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-gnu-unique-object
--enable-linker-build-id --with-linker-hash-style=gnu --enable-plugin
--enable-initfini-array --disable-libgcj --with-isl --enable-libmpx
--enable-gnu-indirect-function --with-tune=generic --with-arch_32=i686
--build=x86_64-redhat-linux
Thread model: posix
gcc version 6.2.1 20160916 (Red Hat 6.2.1-2) (GCC)

#######

Regards,

Marc


More information about the squid-users mailing list