[squid-users] Fwd: Squid 4.8 with OpenSSL 1.1.1d

[Yaroslav Pushko]

Hi All

We use Squid 4.8 with OpenSSL 1.1.1d in a transparent mode for peek and
splice interception.

With this version, we lost the possibility to connect to any HTTPS site.

There are a few issues:

   - support TLSv1.2 sites (already discussed in thread
   http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-with-ssl-choose-client-version-inappropriate-fallback-on-some-sites-when-using-TLS1-2-td4688258.html
    )
   - support TLSv1.3 sites.


Support TLSv1.2.

OpenSSL 1.1.1d adds support of TLSv1.3. These changes added some kind of
guard if we perform a handshake with a lower version of the TLS protocol
than we support. In this scenario, we receive downgrade fallback error.
Handshake version TLSv1.2 vs. max support TLSv1.3.

In such case, we have the next error:

ERROR: negotiating TLS on FD 19: error:1425F175:SSL
> routines:ssl_choose_client_version:inappropriate fallback (1/-1/0)


OpenSSL already provided a fix for it. You can configure SSL session to use
option SSL_MODE_SEND_FALLBACK_SCSV and setting SSL max proto version for
current SSL session, but squid not yet supported these features.

You can find a patch in the attachments, will be grateful for the review.


The issue with TLS 1.3 support, we are still investigating, any advice will
be pleasant.

Best regards,
Yaroslav Pushko.
-- 
Best Regards,
Yaroslav Pushko | Senior *Software Engineer*
GlobalLogic
P +380971842774  M +380634232226 S dithard
www.globallogic.com
http://www.globallogic.com/email_disclaimer.txt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191217/7ce31211/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squid-4.8-added_max_support_tlsversion.patch
Type: application/x-patch
Size: 3722 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191217/7ce31211/attachment.bin>