[squid-users] Trying to verify couple tls issues

Eliezer Croitoru ngtech1ltd at gmail.com
Mon Jan 18 17:04:36 UTC 2021 

I wrote the next "helping/helper/testing scripts":
https://github.com/elico/tls-check-script/blob/master/tls-check.rb
https://github.com/elico/tls-check-script/blob/master/check-dns-san.sh

Now I am trying to verify what issues exists that causes squid to this
result:
2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46:
error:00000001:lib(0):func(0):reason(1) (1/-1)
    connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ
flags=33

So the output of: bash check-dns-san.sh 161.117.96.220 443 is:
## START
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA
CA 2018
verify return:1
depth=0 CN = data.mistat.intl.xiaomi.com
verify return:1
DONE
X509v3 Subject Alternative Name:
    DNS:data.mistat.intl.xiaomi.com
## END

And then I am testing with the next command: ruby tls-check.rb
161.117.96.220 443 and the output is:
## START
### Number of Ciphers to be tested: 66
### Timeout per test: 3
### Delay between tests: 1
Testing TLS_AES_256_GCM_SHA384...  NO, SSL_CTX_set_cipher_list
Testing TLS_CHACHA20_POLY1305_SHA256...  NO, SSL_CTX_set_cipher_list
Testing TLS_AES_128_GCM_SHA256...  NO, SSL_CTX_set_cipher_list
Testing TLS_AES_128_CCM_SHA256...  NO, SSL_CTX_set_cipher_list
Testing ECDHE-ECDSA-AES256-GCM-SHA384...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES256-GCM-SHA384...  CONNECTED:
ECDHE-RSA-AES256-GCM-SHA384, YES, Secure Renegotiation IS supported
Testing DHE-RSA-AES256-GCM-SHA384...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-CHACHA20-POLY1305...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-CHACHA20-POLY1305...  NO, sslv3 alert handshake failure
Testing DHE-RSA-CHACHA20-POLY1305...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES256-CCM8...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES256-CCM...  NO, sslv3 alert handshake failure
Testing DHE-RSA-AES256-CCM8...  NO, sslv3 alert handshake failure
Testing DHE-RSA-AES256-CCM...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
Testing ECDHE-ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
Testing DHE-RSA-ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-GCM-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES128-GCM-SHA256...  CONNECTED:
ECDHE-RSA-AES128-GCM-SHA256, YES, Secure Renegotiation IS supported
Testing DHE-RSA-AES128-GCM-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-CCM8...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-CCM...  NO, sslv3 alert handshake failure
Testing DHE-RSA-AES128-CCM8...  NO, sslv3 alert handshake failure
Testing DHE-RSA-AES128-CCM...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
Testing DHE-RSA-ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES256-SHA384...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES256-SHA384...  CONNECTED: ECDHE-RSA-AES256-SHA384, YES,
Secure Renegotiation IS supported
Testing DHE-RSA-AES256-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-CAMELLIA256-SHA384...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-CAMELLIA256-SHA384...  NO, sslv3 alert handshake failure
Testing DHE-RSA-CAMELLIA256-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES128-SHA256...  CONNECTED: ECDHE-RSA-AES128-SHA256, YES,
Secure Renegotiation IS supported
Testing DHE-RSA-AES128-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
Testing DHE-RSA-CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES256-SHA...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES256-SHA...  CONNECTED: ECDHE-RSA-AES256-SHA, YES,
Secure Renegotiation IS supported
Testing DHE-RSA-AES256-SHA...  NO, sslv3 alert handshake failure
Testing DHE-RSA-CAMELLIA256-SHA...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-SHA...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES128-SHA...  CONNECTED: ECDHE-RSA-AES128-SHA, YES,
Secure Renegotiation IS supported
Testing DHE-RSA-AES128-SHA...  NO, sslv3 alert handshake failure
Testing DHE-RSA-CAMELLIA128-SHA...  NO, sslv3 alert handshake failure
Testing AES256-GCM-SHA384...  CONNECTED: AES256-GCM-SHA384, YES, Secure
Renegotiation IS supported
Testing AES256-CCM8...  NO, sslv3 alert handshake failure
Testing AES256-CCM...  NO, sslv3 alert handshake failure
Testing ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
Testing AES128-GCM-SHA256...  CONNECTED: AES128-GCM-SHA256, YES, Secure
Renegotiation IS supported
Testing AES128-CCM8...  NO, sslv3 alert handshake failure
Testing AES128-CCM...  NO, sslv3 alert handshake failure
Testing ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
Testing AES256-SHA256...  CONNECTED: AES256-SHA256, YES, Secure
Renegotiation IS supported
Testing CAMELLIA256-SHA256...  NO, sslv3 alert handshake failure
Testing AES128-SHA256...  CONNECTED: AES128-SHA256, YES, Secure
Renegotiation IS supported
Testing CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
Testing AES256-SHA...  CONNECTED: AES256-SHA, YES, Secure Renegotiation IS
supported
Testing CAMELLIA256-SHA...  NO, sslv3 alert handshake failure
Testing AES128-SHA...  CONNECTED: AES128-SHA, YES, Secure Renegotiation IS
supported
Testing CAMELLIA128-SHA...  NO, sslv3 alert handshake failure
Testing DHE-RSA-SEED-SHA...  NO, sslv3 alert handshake failure
Testing SEED-SHA...  NO, sslv3 alert handshake failure
Testing IDEA-CBC-SHA...  NO, ssl_cipher_process_rulestr
## END

I assume that the above results might give a clue why mentioned error line:
2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46:
error:00000001:lib(0):func(0):reason(1) (1/-1)
    connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ
flags=33

happens. However I am not sure.
Are there any config that might affect this negotiation in squid?

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon

More information about the squid-users mailing list