[squid-users] Trying to verify couple tls issues

Amos Jeffries squid3 at treenet.co.nz
Mon Jan 18 18:45:31 UTC 2021 

On 19/01/21 6:04 am, Eliezer Croitoru wrote:
> I wrote the next "helping/helper/testing scripts":
> https://github.com/elico/tls-check-script/blob/master/tls-check.rb
> https://github.com/elico/tls-check-script/blob/master/check-dns-san.sh
> 
> Now I am trying to verify what issues exists that causes squid to this
> result:
> 2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46:
> error:00000001:lib(0):func(0):reason(1) (1/-1)
>      connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ
> flags=33
> 
> So the output of: bash check-dns-san.sh 161.117.96.220 443 is:
> ## START
> Can't use SSL_get_servername
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA
> CA 2018
> verify return:1
> depth=0 CN = data.mistat.intl.xiaomi.com
> verify return:1
> DONE
> X509v3 Subject Alternative Name:
>      DNS:data.mistat.intl.xiaomi.com
> ## END
> 
> And then I am testing with the next command: ruby tls-check.rb
> 161.117.96.220 443 and the output is:
> ## START
> ### Number of Ciphers to be tested: 66
> ### Timeout per test: 3
> ### Delay between tests: 1
> Testing TLS_AES_256_GCM_SHA384...  NO, SSL_CTX_set_cipher_list
> Testing TLS_CHACHA20_POLY1305_SHA256...  NO, SSL_CTX_set_cipher_list
> Testing TLS_AES_128_GCM_SHA256...  NO, SSL_CTX_set_cipher_list
> Testing TLS_AES_128_CCM_SHA256...  NO, SSL_CTX_set_cipher_list
> Testing ECDHE-ECDSA-AES256-GCM-SHA384...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-AES256-GCM-SHA384...  CONNECTED:
> ECDHE-RSA-AES256-GCM-SHA384, YES, Secure Renegotiation IS supported
> Testing DHE-RSA-AES256-GCM-SHA384...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-CHACHA20-POLY1305...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-CHACHA20-POLY1305...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-CHACHA20-POLY1305...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES256-CCM8...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES256-CCM...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-AES256-CCM8...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-AES256-CCM...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
> Testing ECDHE-ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES128-GCM-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-AES128-GCM-SHA256...  CONNECTED:
> ECDHE-RSA-AES128-GCM-SHA256, YES, Secure Renegotiation IS supported
> Testing DHE-RSA-AES128-GCM-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES128-CCM8...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES128-CCM...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-AES128-CCM8...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-AES128-CCM...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES256-SHA384...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-AES256-SHA384...  CONNECTED: ECDHE-RSA-AES256-SHA384, YES,
> Secure Renegotiation IS supported
> Testing DHE-RSA-AES256-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-CAMELLIA256-SHA384...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-CAMELLIA256-SHA384...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-CAMELLIA256-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES128-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-AES128-SHA256...  CONNECTED: ECDHE-RSA-AES128-SHA256, YES,
> Secure Renegotiation IS supported
> Testing DHE-RSA-AES128-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES256-SHA...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-AES256-SHA...  CONNECTED: ECDHE-RSA-AES256-SHA, YES,
> Secure Renegotiation IS supported
> Testing DHE-RSA-AES256-SHA...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-CAMELLIA256-SHA...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES128-SHA...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-AES128-SHA...  CONNECTED: ECDHE-RSA-AES128-SHA, YES,
> Secure Renegotiation IS supported
> Testing DHE-RSA-AES128-SHA...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-CAMELLIA128-SHA...  NO, sslv3 alert handshake failure
> Testing AES256-GCM-SHA384...  CONNECTED: AES256-GCM-SHA384, YES, Secure
> Renegotiation IS supported
> Testing AES256-CCM8...  NO, sslv3 alert handshake failure
> Testing AES256-CCM...  NO, sslv3 alert handshake failure
> Testing ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
> Testing AES128-GCM-SHA256...  CONNECTED: AES128-GCM-SHA256, YES, Secure
> Renegotiation IS supported
> Testing AES128-CCM8...  NO, sslv3 alert handshake failure
> Testing AES128-CCM...  NO, sslv3 alert handshake failure
> Testing ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
> Testing AES256-SHA256...  CONNECTED: AES256-SHA256, YES, Secure
> Renegotiation IS supported
> Testing CAMELLIA256-SHA256...  NO, sslv3 alert handshake failure
> Testing AES128-SHA256...  CONNECTED: AES128-SHA256, YES, Secure
> Renegotiation IS supported
> Testing CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
> Testing AES256-SHA...  CONNECTED: AES256-SHA, YES, Secure Renegotiation IS
> supported
> Testing CAMELLIA256-SHA...  NO, sslv3 alert handshake failure
> Testing AES128-SHA...  CONNECTED: AES128-SHA, YES, Secure Renegotiation IS
> supported
> Testing CAMELLIA128-SHA...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-SEED-SHA...  NO, sslv3 alert handshake failure
> Testing SEED-SHA...  NO, sslv3 alert handshake failure
> Testing IDEA-CBC-SHA...  NO, ssl_cipher_process_rulestr
> ## END
> 
> I assume that the above results might give a clue why mentioned error line:
> 2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46:
> error:00000001:lib(0):func(0):reason(1) (1/-1)
>      connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ
> flags=33

Take the output above and grep "CONNECTED: ". If the client or Squid do 
not support those combinations, the above error will result when 
connecting to that server.


 > Testing ECDHE-RSA-AES256-GCM-SHA384...  CONNECTED:
 > ECDHE-RSA-AES256-GCM-SHA384, YES, Secure Renegotiation IS supported

 > Testing ECDHE-RSA-AES128-GCM-SHA256...CONNECTED:
 > ECDHE-RSA-AES128-GCM-SHA256, YES, Secure Renegotiation IS supported

 > Testing ECDHE-RSA-AES256-SHA384...CONNECTED: ECDHE-RSA-AES256-SHA384,
 > Testing ECDHE-RSA-AES128-SHA256...CONNECTED: ECDHE-RSA-AES128-SHA256,
 > Testing ECDHE-RSA-AES256-SHA...  CONNECTED: ECDHE-RSA-AES256-SHA, YES,
 > Testing AES256-GCM-SHA384...  CONNECTED: AES256-GCM-SHA384, YES,
 > Testing AES128-GCM-SHA256...  CONNECTED: AES128-GCM-SHA256, YES,
 > Testing AES256-SHA256...  CONNECTED: AES256-SHA256, YES, Secure
 > Testing AES128-SHA256...  CONNECTED: AES128-SHA256, YES, Secure
 > Testing AES256-SHA...  CONNECTED: AES256-SHA, YES, Secure
 > Testing AES128-SHA...  CONNECTED: AES128-SHA, YES, Secure
 > ## END


> 
> happens. However I am not sure.
> Are there any config that might affect this negotiation in squid?


When either SHA or AES are not possible for Squid to use it will happen. 
Depending on whether your Squid is doing bumping or not will will 
determine whether it is possible to affect with a configuration change 
or if the issue is the client software.


Amos

More information about the squid-users mailing list