[squid-users] Can I configure squid5 with Boring SSL

Alex Rousskov rousskov at measurement-factory.com
Tue May 4 13:45:15 UTC 2021


On 5/4/21 5:33 AM, vinod mg wrote:

> 1) Current squid build with OpenSSL is not showing transactional ciphers
> while browsing via chrome eg: (TLS_GREASE_DA),
> (TLS_GREASE_IS_THE_WORD_BA)  --> is there any way to add these?

> 2) I am unable to supress Named group 'secp521r1' while going via this
> squid build on chrome browser. --> Is there any way to supress this?

I do not know the answers to your questions, but they sound like OpenSSL
questions (rather than Squid questions) to me. AFAIK, Squid code is
unaware of the concepts you are talking about -- it just passes your
configuration to OpenSSL. If OpenSSL can be configured to do what you
want, then, in most cases, you can configure Squid+OpenSSL to do that.

Alex.


> I am using - https://browserleaks.com/ssl <https://browserleaks.com/ssl>
> and https://www.howsmyssl.com <https://www.howsmyssl.com> to check above
> parameters.
> 
> I am using below configs with OpenSSL and it works fine except for above
> mentioned issues.
> 
> acl manager proto cache_object
> acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>	# RFC1918 possible
> internal network
> acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>	# RFC1918 possible
> internal network
> acl localnet src 192.168.0.0/16 <http://192.168.0.0/16>	# RFC1918
> possible internal network
> acl SSL_ports port 443
> acl SSL_ports port 8443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 8443 # multiling http
> acl CONNECT method CONNECT
> acl intermediate_fetching transaction_initiator certificate-fetching
> http_access allow intermediate_fetching
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl blocked_sites ssl::server_name .apple.com <http://apple.com>
> acl amazon_deny dstdomain "/opt/squid/squid5/etc/blockdomains"
> http_access allow localnet
> http_access allow localhost
> http_access deny blocked_sites
> http_access deny amazon_deny
> http_access allow all
> http_port 443 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=512MB
> tls-cert=/opt/squid/squid5/etc/certs/ProxyBump.crt
> tls-key=/opt/squid/squid5/etc/certs/ProxyBump.key
> tls-dh=prime256v1:/opt/squid/squid5/etc/certs/ProxyBump.pem
> sslcrtd_program /opt/squid/squid5/libexec/security_file_certgen -s
> /var/lib/squid/ssl_db -M 512MB
> sslproxy_cert_error allow all
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> ssl_bump splice all
> tls_outgoing_options
> cipher=HIGH:!MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
> cache_mem 1024 MB
> cache deny all
> cache_dir aufs /opt/squid/squid5/var/cache/squid 1024 16 256
> shutdown_lifetime 2 seconds
> coredump_dir /opt/squid/squid5/var/cache/squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> cache_peer 10.12.11.2 parent 8080 0 no-query default login=abc:abc at 123
> never_direct allow all
> server_persistent_connections off
> logfile_rotate 30
> via off
> forwarded_for delete
> visible_hostname localhost
> logformat squid  %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<A
> %mt %>h %Se %>sh
> logformat extended  %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
> %Hs %<st "%{Referer}>h" "%{User-agent}>h"
> cache_log /opt/squid/squid5/var/logs/cache.log
> acl hasRequest has request
> access_log none !hasRequest
> access_log stdio:/opt/squid/squid5/var/logs/access.log
> access_log stdio:/opt/squid/squid5/var/logs/access.log.mitm extended
> pid_filename /opt/squid/squid5/var/run/squid.pid
> max_filedescriptors 5000
> 
> Any help is appreciated. Thanks in advance!
> 
> Thanks,
> Vinod
> 
> On Tue, May 4, 2021 at 2:12 AM Alex Rousskov
> <rousskov at measurement-factory.com
> <mailto:rousskov at measurement-factory.com>> wrote:
> 
>     Hello Vinod,
> 
>         Squid does not support BoringSSL, and we will not add such support
>     in the foreseeable future. We have more than enough troubles with GnuTLS
>     support and not enough resources to support a yet another TLS library,
>     especially the one that is not meant for general use[1]!
> 
>     [1] https://boringssl.googlesource.com/boringssl/
>     <https://boringssl.googlesource.com/boringssl/>
>     Although BoringSSL is an open source project, it is not intended for
>     general use, as OpenSSL is. We don't recommend that third parties depend
>     upon it. Doing so is likely to be frustrating because there are no
>     guarantees of API or ABI stability.
> 
> 
>     HTH,
> 
>     Alex.
> 
> 
>     On 5/3/21 4:10 PM, vinod mg wrote:
>     > Hi Team,
>     >
>     > I have followed
>     >
>https://www.interserver.net/tips/kb/openssl-vs-boringssl-boringssl-install-boringssl/
>     <https://www.interserver.net/tips/kb/openssl-vs-boringssl-boringssl-install-boringssl/>
>     >
>     <https://www.interserver.net/tips/kb/openssl-vs-boringssl-boringssl-install-boringssl/
>     <https://www.interserver.net/tips/kb/openssl-vs-boringssl-boringssl-install-boringssl/>>
>     > and was able to install in server's /home/src/boringssl
>     >
>     > while configuring squid I am using below options - 
>     >
>     > ./configure '--prefix=/opt/boring/squid5'
>     > '--with-openssl=/home/src/boringssl' '--enable-ssl-crtd'
>     > '--with-filedescriptors=3276800' '--enable-storeio=diskd,aufs,ufs'
>     > '--with-large-files' '--enable-useragent-log'
>     > '--enable-ltdl-convenience' '--with-tls' '--enable-http-violations'
>     >
>     >
>     > while running 'make' I am getting below error, and I am not able
>     to find
>     > solution for this.
>     >
>     > In file included from ../../src/ssl/support.h:21,
>     >
>     >                  from ../../src/SquidConfig.h:29,
>     >
>     >                  from old_api.cc:24:
>     >
>     > ../../src/ssl/gadgets.h:56:25: error: ‘TXT_DB’ was not declared in
>     this
>     > scope
>     >
>     >  typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
>     > TXT_DB_Pointer;
>     >
>     > ../../src/ssl/gadgets.h:56:47: error: ‘TXT_DB’ was not declared in
>     this
>     > scope
>     >
>     >  typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
>     > TXT_DB_Pointer;
>     >
>     > ../../src/ssl/gadgets.h:56:68: error: template argument 2 is invalid
>     >
>     >  typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
>     > TXT_DB_Pointer;
>     >
>     > ../../src/ssl/gadgets.h:56:68: error: template argument 3 is invalid
>     >
>     > ../../src/ssl/gadgets.h:56:71: error: template argument 1 is invalid
>     >
>     >  typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
>     > TXT_DB_Pointer;
>     >
>     > ../../src/ssl/gadgets.h:56:71: error: template argument 2 is invalid
>     >
>     > ../../src/ssl/gadgets.h:56:1: error: ‘typedef’ was ignored in this
>     > declaration [-Werror]
>     >
>     >  typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
>     > TXT_DB_Pointer;
>     >
>     > cc1plus: all warnings being treated as errors
>     >
>     > make[3]: *** [Makefile:840: old_api.lo] Error 1
>     >
>     > make[3]: Leaving directory '/tmp/squid-5.0.5/src/mem'
>     >
>     > make[2]: *** [Makefile:6851: all-recursive] Error 1
>     >
>     > make[2]: Leaving directory '/tmp/squid-5.0.5/src'
>     >
>     > make[1]: *** [Makefile:5840: all] Error 2
>     >
>     > make[1]: Leaving directory '/tmp/squid-5.0.5/src'
>     >
>     > make: *** [Makefile:593: all-recursive] Error 1
>     >
>     >
>     > My node is running on - CentOS Linux release 8.3.2011
>     > Squid version - 5.0.4
>     > Installed Openssl version - OpenSSL 1.1.1g FIPS  21 Apr 2020
>     >
>     > Thanks,
>     > Vinod
>     >
>     > _______________________________________________
>     > squid-users mailing list
>     > squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     > http://lists.squid-cache.org/listinfo/squid-users
>     <http://lists.squid-cache.org/listinfo/squid-users>
>     >
> 



More information about the squid-users mailing list