[squid-users] Can I configure squid5 with Boring SSL

vinod mg vinod9987 at gmail.com
Tue May 4 09:33:46 UTC 2021


Hi Alex,

Thanks for confirming this, it saved me lot of time :)

The reason why I wanted to try build squid5 with BoringSSL is -
1) Current squid build with OpenSSL is not showing transactional ciphers
while browsing via chrome eg: (TLS_GREASE_DA), (TLS_GREASE_IS_THE_WORD_BA)
--> is there any way to add these?
2) I am unable to supress Named group 'secp521r1' while going via this
squid build on chrome browser. --> Is there any way to supress this?

I am using - https://browserleaks.com/ssl and https://www.howsmyssl.com to
check above parameters.

I am using below configs with OpenSSL and it works fine except for above
mentioned issues.

acl manager proto cache_object
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8443 # multiling http
acl CONNECT method CONNECT
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl blocked_sites ssl::server_name .apple.com
acl amazon_deny dstdomain "/opt/squid/squid5/etc/blockdomains"
http_access allow localnet
http_access allow localhost
http_access deny blocked_sites
http_access deny amazon_deny
http_access allow all
http_port 443 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=512MB
tls-cert=/opt/squid/squid5/etc/certs/ProxyBump.crt
tls-key=/opt/squid/squid5/etc/certs/ProxyBump.key
tls-dh=prime256v1:/opt/squid/squid5/etc/certs/ProxyBump.pem
sslcrtd_program /opt/squid/squid5/libexec/security_file_certgen -s
/var/lib/squid/ssl_db -M 512MB
sslproxy_cert_error allow all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
ssl_bump splice all
tls_outgoing_options
cipher=HIGH:!MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
cache_mem 1024 MB
cache deny all
cache_dir aufs /opt/squid/squid5/var/cache/squid 1024 16 256
shutdown_lifetime 2 seconds
coredump_dir /opt/squid/squid5/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_peer 10.12.11.2 parent 8080 0 no-query default login=abc:abc at 123
never_direct allow all
server_persistent_connections off
logfile_rotate 30
via off
forwarded_for delete
visible_hostname localhost
logformat squid  %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<A
%mt %>h %Se %>sh
logformat extended  %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt %Hs
%<st "%{Referer}>h" "%{User-agent}>h"
cache_log /opt/squid/squid5/var/logs/cache.log
acl hasRequest has request
access_log none !hasRequest
access_log stdio:/opt/squid/squid5/var/logs/access.log
access_log stdio:/opt/squid/squid5/var/logs/access.log.mitm extended
pid_filename /opt/squid/squid5/var/run/squid.pid
max_filedescriptors 5000

Any help is appreciated. Thanks in advance!

Thanks,
Vinod

On Tue, May 4, 2021 at 2:12 AM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> Hello Vinod,
>
>     Squid does not support BoringSSL, and we will not add such support
> in the foreseeable future. We have more than enough troubles with GnuTLS
> support and not enough resources to support a yet another TLS library,
> especially the one that is not meant for general use[1]!
>
> [1] https://boringssl.googlesource.com/boringssl/
> Although BoringSSL is an open source project, it is not intended for
> general use, as OpenSSL is. We don't recommend that third parties depend
> upon it. Doing so is likely to be frustrating because there are no
> guarantees of API or ABI stability.
>
>
> HTH,
>
> Alex.
>
>
> On 5/3/21 4:10 PM, vinod mg wrote:
> > Hi Team,
> >
> > I have followed
> > -
> https://www.interserver.net/tips/kb/openssl-vs-boringssl-boringssl-install-boringssl/
> > <
> https://www.interserver.net/tips/kb/openssl-vs-boringssl-boringssl-install-boringssl/
> >
> > and was able to install in server's /home/src/boringssl
> >
> > while configuring squid I am using below options -
> >
> > ./configure '--prefix=/opt/boring/squid5'
> > '--with-openssl=/home/src/boringssl' '--enable-ssl-crtd'
> > '--with-filedescriptors=3276800' '--enable-storeio=diskd,aufs,ufs'
> > '--with-large-files' '--enable-useragent-log'
> > '--enable-ltdl-convenience' '--with-tls' '--enable-http-violations'
> >
> >
> > while running 'make' I am getting below error, and I am not able to find
> > solution for this.
> >
> > In file included from ../../src/ssl/support.h:21,
> >
> >                  from ../../src/SquidConfig.h:29,
> >
> >                  from old_api.cc:24:
> >
> > ../../src/ssl/gadgets.h:56:25: error: ‘TXT_DB’ was not declared in this
> > scope
> >
> >  typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
> > TXT_DB_Pointer;
> >
> > ../../src/ssl/gadgets.h:56:47: error: ‘TXT_DB’ was not declared in this
> > scope
> >
> >  typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
> > TXT_DB_Pointer;
> >
> > ../../src/ssl/gadgets.h:56:68: error: template argument 2 is invalid
> >
> >  typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
> > TXT_DB_Pointer;
> >
> > ../../src/ssl/gadgets.h:56:68: error: template argument 3 is invalid
> >
> > ../../src/ssl/gadgets.h:56:71: error: template argument 1 is invalid
> >
> >  typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
> > TXT_DB_Pointer;
> >
> > ../../src/ssl/gadgets.h:56:71: error: template argument 2 is invalid
> >
> > ../../src/ssl/gadgets.h:56:1: error: ‘typedef’ was ignored in this
> > declaration [-Werror]
> >
> >  typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
> > TXT_DB_Pointer;
> >
> > cc1plus: all warnings being treated as errors
> >
> > make[3]: *** [Makefile:840: old_api.lo] Error 1
> >
> > make[3]: Leaving directory '/tmp/squid-5.0.5/src/mem'
> >
> > make[2]: *** [Makefile:6851: all-recursive] Error 1
> >
> > make[2]: Leaving directory '/tmp/squid-5.0.5/src'
> >
> > make[1]: *** [Makefile:5840: all] Error 2
> >
> > make[1]: Leaving directory '/tmp/squid-5.0.5/src'
> >
> > make: *** [Makefile:593: all-recursive] Error 1
> >
> >
> > My node is running on - CentOS Linux release 8.3.2011
> > Squid version - 5.0.4
> > Installed Openssl version - OpenSSL 1.1.1g FIPS  21 Apr 2020
> >
> > Thanks,
> > Vinod
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210504/728af526/attachment.htm>


More information about the squid-users mailing list