[squid-users] SQUID 4.12 (Debian 10, OpenSSL 1.1.1d) - SSL bump no server helllo

Alex Rousskov rousskov at measurement-factory.com
Tue Jun 16 13:49:31 UTC 2020


On 6/16/20 3:43 AM, Loučanský Lukáš wrote:

> I was wondering if anyone could take a look at this:

It might be TLS GREASE[1], but I do not see enough information to
reliably diagnose the problem. This is not your fault -- Squid just does
not log the relevant details by default (we are actively working on
improving that).

If others do not find a solution, I suggest sharing an ALL,9 log of a
problematic transaction.

Alex.

[1]
https://github.com/squid-cache/squid/commit/eec67f04490a477d69891c8b05a94bea05e5efbf


> I'm running squid for rather long time, recently I have upgraded my squid box to Debian 10 (from Debian 9) and OpenSSL 1.1.1d 
>  
> 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux OpenSSL 1.1.1d  10 Sep 2019
> 
> squid -v
> Squid Cache: Version 4.12
> Service Name: squid
> 
> This binary uses OpenSSL 1.1.1d  10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html
> 
> configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid4' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid4' '--sysconfdir=/etc/squid4' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--enable-snmp' '--disable-translation' '--with-swapdir=/var/spool/squid4' '--with-logdir=/var/log/squid4' '--with-pidfile=/var/run/squid4.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-openssl' '--enable-ssl-crtd' '--enable-security-cert-generators' '--enable-security-cert-validators' '--enable-linux-netfilter' 'PKG_CONFIG_PATH=:/usr/local/lib/pkgconfig:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 'CFLAGS=-g -O2 -m64 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -m64 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' 'build_alias=x86_64-linux-gnu'
> 
> Before upgrade I was running stock kernel, stock openssl and compiled squid version 4.10 with ssl support to splice (local and excepted webs), peek and terminate ssl connections based on the SNI acl. 
>  
> Now I run into this problem - my configuration does not work anymore. So I decided to try to bump every connection. The security file certgen is making new certificates based on my CA as usual.
> But the client on the intercepted connection (via changed routing table under mikrotik and then prerouted to correct squid ports for http and ssl traffic) running Chrome 83 http://download.kjj.cz/pub/ssl/idnes.cz_chrome.83.0.4103.97.pcapng sends ClientHello - and no ServerHello is received. I've tcpdumped outgoing interface on the squid box - and there was no actual connection to the desired server. 
> In the access.log there is something like 1592212170.495      2 10.0.0.40 NONE_ABORTED/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
>  
> But - same client, same network, same network running Firefox 77 http://download.kjj.cz/pub/ssl/idnes.cz_firefox.77.0.1.pcapng  gets ServerHello after it's ClientHello - they exchange information, exchange ciphers etc. and the web page is loaded. I've checked https certificate details - it's been issued by my CA.
> 
> 
> access.log:
>  
> 1592212156.764      8 10.0.0.40 TCP_MISS/301 196 GET http://idnes.cz/ - ORIGINAL_DST/185.17.117.32 -
> 1592212156.774      2 10.0.0.40 NONE/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
> 1592212156.825     38 10.0.0.40 TCP_MISS/302 777 GET https://idnes.cz/ - ORIGINAL_DST/185.17.117.32 text/html
> 1592212156.840      7 10.0.0.40 NONE/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
> 1592212156.893     28 10.0.0.40 TCP_CLIENT_REFRESH_MISS/200 40086 GET https://www.idnes.cz/ - ORIGINAL_DST/185.17.117.32 text/html
> 
> 
> So in Firefox - it seems to be working. I have modified opensll.cnf default configuration to avoid MinProtocol TLS1.2, but no change. I have 2048b SSL DH params specified for prime256v1 curve in the https-port definition like this https_port 3129 intercept ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid4/ssl/CAcert.pem tls-dh=prime256v1:/etc/squid4/ssl/dhparams_2048.pem cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> 
> and
> 
> tls_outgoing_options options=NO_SSLv3
> tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> 
> At first I thought I have to change my configuration or that I missed something during the compiling so I switched back to 4.10 - no change.I see 2020/06/15 11:21:45 kid2| Error negotiating SSL connection on FD 59: error:00000001:lib(0):func(0):reason(1) (1/-1) in the cache.log here and there - but it was the same before. I've actually turned debug on (by debug_options ALL,9), just to get bunch of information, tracked down connect request to the desired servers and seeing nothing...
> 
> Is it something about the patch for older TLS traffic, or is it some misconfiguration - maybe in the ciphers or TLS versions?
> 
> Thanks LL
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list