[squid-users] SSL options on different http_port resolving into a single config for all ports

Wahaj Ali Wahaj_Ali at symantec.com
Thu Jul 27 07:51:57 UTC 2017


With squid 3.5.25, I have two http_port configs, on one of which I want to disable SSLv3 while leaving it enabled on the other. Here is part of that config:

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/madmin/certs/elastica-ca.pem key=/home/madmin/certs/ca.key cipher=ALL:!DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-RC4-MD5:!EXP-RC2-CBC-MD5:@STRENGTH options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/ssl/private/el-dhparams.pem

http_port 443 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/madmin/certs/elastica-ca.pem key=/home/madmin/certs/ca.key cipher=ALL:!DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-RC4-MD5:!EXP-RC2-CBC-MD5:@STRENGTH options=SINGLE_ECDH_USE tls-dh=prime256v1:/etc/ssl/private/el-dhparams.pem

If I first proxy my traffic to port 443, it seems to apply the port 443 config on all other ports from here on. On the other hand if my first request goes through port 3128, then squid sets whatever SSL version is supported on 3128 for all the other ports as well.

First request going to port 3128
root at madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128<http://127.0.0.1:3128/>" root at madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com<https://uatmail02.cimb.com/> -ssl3 * About to connect() to proxy 127.0.0.1 port 3128 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > CONNECT uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> HTTP/1.1 > Host: uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4<http://1.2.3.4/> libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection #0 * root at madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443<http://127.0.0.1:443/>" root at madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com<https://uatmail02.cimb.com/> -ssl3 * About to connect() to proxy 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > CONNECT uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> HTTP/1.1 > Host: uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4<http://1.2.3.4/> libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection #0

First request hitting 443:
root at madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443<http://127.0.0.1:443/>" root at madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com<https://uatmail02.cimb.com/> -ssl3 * About to connect() to proxy 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > CONNECT uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> HTTP/1.1 > Host: uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4<http://1.2.3.4/> libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com<http://uatmail02.cimb.com/> * start date: 2017-07-03 09:00:37 GMT * expire date: 2019-07-04 09:00:37 GMT * common name: uatmail02.cimb.com<http://uatmail02.cimb.com/> (matched) * issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=service-engineering at elastica.co<mailto:service-engineering at elastica.co>; CN=Elastica * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4<http://1.2.3.4/> libidn/1.23 librtmp/2.3 > Host: uatmail02.cimb.com<http://uatmail02.cimb.com/> > Accept: */* > < HTTP/1.1 302 Found < Date: Wed, 26 Jul 2017 10:12:48 GMT < Location: http://127.0.0.1:7999/gateway_auth/?__eln__=1468917241090744452&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F < Server: elastica-gateway-service/v1.0 < Connection: close < * SSLv3, TLS alert, Client hello (1): * Closing connection #0 * SSLv3, TLS alert, Client hello (1): root at madmin-VirtualBox:/home/madmin# root at madmin-VirtualBox:/home/madmin# root at madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128<http://127.0.0.1:3128/>" root at madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com<https://uatmail02.cimb.com/> -ssl3 * About to connect() to proxy 127.0.0.1 port 3128 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > CONNECT uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> HTTP/1.1 > Host: uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4<http://1.2.3.4/> libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com<http://uatmail02.cimb.com/> * start date: 2017-07-03 09:00:37 GMT * expire date: 2019-07-04 09:00:37 GMT * common name: uatmail02.cimb.com<http://uatmail02.cimb.com/> (matched) * issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=service-engineering at elastica.co<mailto:service-engineering at elastica.co>; CN=Elastica * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4<http://1.2.3.4/> libidn/1.23 librtmp/2.3 > Host: uatmail02.cimb.com<http://uatmail02.cimb.com/> > Accept: */* > < HTTP/1.1 302 Found < Date: Wed, 26 Jul 2017 10:12:58 GMT < Location: http://127.0.0.1:7999/gateway_auth/?__eln__=2303332476459826439&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F < Server: elastica-gateway-service/v1.0 < Connection: close < * SSLv3, TLS alert, Client hello (1): * Closing connection #0 * SSLv3, TLS alert, Client hello (1):


In the first case, SSLv3 fails on both ports, while in the second it works for both. My expectation was that I can configure the ports independently to use different SSL versions. Wonder if this is a bug?

Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170727/969b2d8d/attachment-0001.html>


More information about the squid-users mailing list