[squid-users] SSL options on different http_port resolving into a single config for all ports

Amos Jeffries squid3 at treenet.co.nz
Mon Jul 31 13:08:11 UTC 2017 

On 31/07/17 19:27, Wahaj Ali wrote:
> Thanks for the reply, Amos. A few follow up questions:
> 
> 1) Setting dynamic_cert_mem_cache_size=0 does solve the issue. However, 
> I fail to understand why caching the cert allows the connection to 
> continue on SSLv3, on a port that I've disabled it. Isn't cert exchange 
> done after the protocol has been selected. I don't think curl is 
> rejecting the cert, but rather the ssl connection fails to establish 
> before the cert exchange, since I also tried with the following command, 
> which ignores cert errors:
> > curl -k -vv -x https://127.0.0.1:3128 https://uatmail02.cimb.com -ssl3
> 

Are you referring to the -k ?

That option disables security validation procedures for the cert keys - 
like Squid's DONT_VERIFY_PEER option. That is all.

It cannot prevent OpenSSL *parsing* the cert and rejecting it on grounds 
that TLS-only things are being used on an SSLv3 connection, or SSL 
things are being on a TLS-only connection.


> 
> root at madmin-VirtualBox:/home/madmin/# curl -k -vv -x 
> https://127.0.0.1:3128 https://uatmail02.cimb.com -ssl3
> * About to connect() to proxy 127.0.0.1 port 3128 (#0)
> *   Trying 127.0.0.1... connected
> * Establish HTTP proxy tunnel to uatmail02.cimb.com:443
>  > CONNECT uatmail02.cimb.com:443 HTTP/1.1
>  > Host: uatmail02.cimb.com:443
>  > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
>  > Proxy-Connection: Keep-Alive
>  >
> < HTTP/1.1 200 Connection established
> <
> * Proxy replied OK to CONNECT request
> * successfully set certificate verify locations:
> *   CAfile: none
>    CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):

The protocol version is decided here. By the server - based partially on 
what framing syntax that ClientHello used, and partially on what the 
client indicates it can support.

If the protocol itself could not be agreed to the server would terminate 
and I'd expect curl to either show an alert received now, or complain 
about early closure.


> * SSLv3, TLS alert, Server hello (2):

Here curl is receiving the ServerHello - which contains the cert and the 
servers chosen cyphers etc.


> * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure > * Closing connection #0

So, curl is aborting willingly when processing that cert etc.

That "error:" line is produced by OpenSSL, not curl.

It might also abort due to cipher or extension issues, but IIRC the 
messages OpenSSL prints there explicitly contain the words cipher or 
extension respectively.


> 
> 2) You mentioned "leaving port 443 for encrypted connections", can you 
> please elaborate on why it might be problematic to use "http_port" 
> directive - i.e. have both plain-text and SSL connections?
> 

Because of problems like the one you are clearly showing by the way you 
worded that question. As if you think SSL connections are arriving at 
that port.

  ... it *does not* accept SSL connections.

The octet values for TLS and plain-text messages are incompatible. They 
can be interpreted by either one - with various results which are 
different to how they are supposed to be handled, and usually not nice 
results.


The "http_" part of the directive name indicates what protocol the 
parser attached to that port accepts. In this case plain-text HTTP. 
There are a few other protocols that can arrive there but they do so by 
using the plain-text HTTP syntax.


To receive port 443 traffic use the https_port. The "https_" part of 
that directive name means the bytes arriving to that port get shuffled 
through a TLS parser (eg OpenSSL) before going to the HTTP parser.

If you were thinking that ssl-bump option on the port made it accept 
SSL/TLS connections you would be wrong. SSL-Bump on an http_port is 
about applying a TLS parser *after* the HTTP parser - and only for the 
payload of plain-text HTTP CONNECT messages.


Other plain-text protocols which Squid supports that don't use the 
message HTTP-syntax have to use different port directives. For example; 
ftp_port directive for native FTP protocol.

Amos

More information about the squid-users mailing list