[squid-users] Fwd: Squid ssl bumping. Ssl bumping not working on sites with ssl GOST cypher certificate

Wed Sep 21 17:55:34 UTC 2016

On 22/09/2016 1:41 a.m., Сергин Александр wrote:
> Hi, can you please explain me, does squid support ssl bumping with site
> signed with GOST certificate?
> 

The crypto details in squid.conf are almost always passed directly to
the crypto library. So Squid supports what the library does. I don't
know enough about the GOST ciphers to know if there is anything unusual
needed from Squid.

> I have OpenSSL 1.0.2d 9 Jul 2015
> 
> openssl engine
> (dynamic) Dynamic engine loading support
> *(gost) Reference implementation of GOST engine*
> 

That would indicate the answer is yes, unless something unusual is needed.

> 
> *openssl ciphers | grep GOST*
> 
> *GOST2001-GOST89-GOST89:GOST94-GOST89-GOST89*
> 
> /opt/squid/sbin/squid -v
> Squid Cache: Version 3.5.19
> Service Name: squid
> configure options:  'CFLAGS=-march=i686 -g -O2' 'CXXFLAGS=-march=i686 -g
> -O2' '--prefix=/opt/squid-3.5.19-4' '--enable-async-io=32'
> '--enable-storeio=ufs,aufs,rock,diskd' '--enable-disk-io'
> '--enable-removal-policies=heap,lru' '--enable-useragent-log'
> '--enable-referer-log' '--enable-arp-acl' '--with-openssl'
> '--enable-forw-via-db' '--enable-cache-digests' '--enable-linux-netfilter'
> '--enable-basic-auth=all' '--enable-ntlm-auth=all'
> '--enable-ntlm-fail-open' '--enable-negotiate-auth=all'
> '--enable-external-acl-helpers' '--with-filedescriptors=32768'
> '--with-large-files' '--enable-delay-pools' '--enable-ssl-crtd'
> '--disable-static' '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid.pid'
> '--with-swapdir=/var/data/squid/cache' '--disable-arch-native'
> 
> SSL bumping with dynamic certificates working well but when I try to go to
> site with GOST certificate,
> I see error -
> 
> The system returned:
> 
> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> 
> Handshake with SSL server failed: error:0609E09C:digital envelope
> routines:PKEY_SET_TYPE:unsupported algorithm
> 
> 
> Please explain me this Error please
> 

The error is produced by OpenSSL. It means one endpoint of the
Squid<->server connection has a crypto library that does not support one
of the cipher algorithms the other endpoint is requiring.

This is different from simply not being able to agree on a matching set
of ciphers to use. One of the ciphers is actively non-supported for the
use to which it is being attempted.

It could be the cipher (server not supporting GOST?), a checksum hash
(RC4, DES, SHA1 are frequently forbidden these days), or something else.

NP: That is the limit of what I know about this error sorry. Good luck
finding a fix.

Amos