<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
My openssl test show the next Cloudflare cipher:<br>
<br>
ECDHE-ECDSA-AES128-GCM-SHA256<br>
<br>
So, result is:<br>
<br>
root @ cthulhu /patch # openssl s_client -cipher
'ECDHE-ECDSA-AES128-GCM-SHA256' -connect <a class="moz-txt-link-abbreviated" href="http://www.cloudflare.com:443">www.cloudflare.com:443</a><br>
CONNECTED(00000003)<br>
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network,
CN = AddTrust External CA Root<br>
verify return:1<br>
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = COMODO ECC Certification Authority<br>
verify return:1<br>
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = COMODO ECC Extended Validation Secure Server CA<br>
verify return:1<br>
depth=0 serialNumber = 4710875, 1.3.6.1.4.1.311.60.2.1.3 = US,
1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private
Organization, C = US, postalCode = 94107, ST = California, L = San
Francisco, street = "655 Third Street, Suite 200", O = "CloudFlare,
Inc.", OU = COMODO EV Multi-Domain SSL<br>
verify return:1<br>
- ---<br>
Certificate chain<br>
0
s:/serialNumber=4710875/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
Organization/C=US/postalCode=94107/ST=California/L=San
Francisco/street=655 Third Street, Suite 200/O=CloudFlare,
Inc./OU=COMODO EV Multi-Domain SSL<br>
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Extended Validation Secure Server CA<br>
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Extended Validation Secure Server CA<br>
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Certification Authority<br>
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Certification Authority<br>
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP
Network/CN=AddTrust External CA Root<br>
- ---<br>
Server certificate<br>
- -----BEGIN CERTIFICATE-----<br>
MIIFiTCCBS+gAwIBAgIQBmy2JcYivinKaUJSCKGtKDAKBggqhkjOPQQDAjCBkjEL<br>
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE<br>
BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxODA2BgNVBAMT<br>
L0NPTU9ETyBFQ0MgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB<br>
MB4XDTE1MTIwMTAwMDAwMFoXDTE2MTEzMDIzNTk1OVowggERMRAwDgYDVQQFEwc0<br>
NzEwODc1MRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERl<br>
bGF3YXJlMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMC<br>
VVMxDjAMBgNVBBETBTk0MTA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH<br>
Ew1TYW4gRnJhbmNpc2NvMSQwIgYDVQQJExs2NTUgVGhpcmQgU3RyZWV0LCBTdWl0<br>
ZSAyMDAxGTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xIzAhBgNVBAsTGkNPTU9E<br>
TyBFViBNdWx0aS1Eb21haW4gU1NMMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE<br>
mPbUxrSaUGUh0fWajjE6zyy35uwYkOwNOKll7E0jKcJvxJLR9IC2ySQduynfb2Mo<br>
t5+rzrL5k3RWt7ZCMDsyWaOCAuMwggLfMB8GA1UdIwQYMBaAFNNOwxm6WFnRHGC3<br>
YVNHO6d3j/iKMB0GA1UdDgQWBBT/eDUPVHJ3p6neXJv8NVND7rkLIDAOBgNVHQ8B<br>
Af8EBAMCBYAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB<br>
BQUHAwIwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBBQEwKzApBggrBgEFBQcCARYd<br>
aHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwVgYDVR0fBE8wTTBLoEmgR4ZF<br>
aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPRUNDRXh0ZW5kZWRWYWxpZGF0<br>
aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGHBggrBgEFBQcBAQR7MHkwUQYIKwYBBQUH<br>
MAKGRWh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0VDQ0V4dGVuZGVkVmFs<br>
aWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29j<br>
c3AuY29tb2RvY2EuY29tMC0GA1UdEQQmMCSCDmNsb3VkZmxhcmUuY29tghJ3d3cu<br>
Y2xvdWRmbGFyZS5jb20wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgBo9pj4H2SC<br>
vjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVFfF/KGAAAEAwBHMEUCIQCYn9hT<br>
zH7HDl8ssKN1YWXtk09MEMbNCAgONEM33Orv6gIgH99BJXaehbgEQmEBW7372nPv<br>
x3/hqhO9svDabmNm1vIAdwBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ<br>
3QAAAVFfF++7AAAEAwBIMEYCIQDlr9Q35uiX37IciNrb8I3lSIKAEB73zB0YMPVl<br>
TSl/yQIhAMCcle0L3Gu11iud65NFRogfrOmk9mtuW3ruf5Mt63D5MAoGCCqGSM49<br>
BAMCA0gAMEUCIQDuxJ4FoYrW0fnaNkRajRSwqKcXb8XpV1dYklpVVGxQOgIgRA96<br>
apf7bQLXWdoGLBJg0M7sRB1Bv9Fh+MIzLKhn5lg=<br>
- -----END CERTIFICATE-----<br>
subject=/serialNumber=4710875/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
Organization/C=US/postalCode=94107/ST=California/L=San
Francisco/street=655 Third Street, Suite 200/O=CloudFlare,
Inc./OU=COMODO EV Multi-Domain SSL<br>
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Extended Validation Secure Server CA<br>
- ---<br>
No client certificate CA names sent<br>
- ---<br>
SSL handshake has read 3826 bytes and written 289 bytes<br>
- ---<br>
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256<br>
Server public key is 256 bit<br>
Secure Renegotiation IS supported<br>
Compression: NONE<br>
Expansion: NONE<br>
SSL-Session:<br>
Protocol : TLSv1.2<br>
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256<br>
Session-ID:
46639E396A6540A888C8A9B1994C744D03810678A4F95951A5BBA293DD4BE284<br>
Session-ID-ctx:<br>
Master-Key:
26F7F58D4913230F3F93872E2E7390C7D762CDC3E46FC5AAA300866F316ED5A283A813DAFF738457C5B8F5E1340CC156<br>
Key-Arg : None<br>
PSK identity: None<br>
PSK identity hint: None<br>
SRP username: None<br>
TLS session ticket lifetime hint: 64800 (seconds)<br>
TLS session ticket:<br>
0000 - 94 71 18 10 6e 8b 7b d3-b1 a7 d9 d7 65 8f a6 ea
.q..n.{.....e...<br>
0010 - 45 fa 1b f8 c7 9b 94 a3-64 95 e7 15 c7 98 04 27
E.......d......'<br>
0020 - 09 bf 36 7e db f3 ab 82-17 21 f4 2b 26 13 79 94
..6~.....!.+&.y.<br>
0030 - ce e7 30 7f c1 c2 3b 65-7e 76 28 46 d2 46 f3 8d
..0...;e~v(F.F..<br>
0040 - 5a 54 2f 70 71 53 7a fd-fb 44 e0 df 4c 46 96 99
ZT/pqSz..D..LF..<br>
0050 - e7 63 c9 93 eb 34 32 0a-b4 af 6a db c1 f0 5d 10
.c...42...j...].<br>
0060 - 5e c3 af 9e 16 59 32 8c-b0 fb 8e cc 9a 48 8e 6a
^....Y2......H.j<br>
0070 - 8d ee 85 5d d3 26 9d b1-96 32 ff 78 cb 93 3a ec
...].&...2.x..:.<br>
0080 - 9c 5c bd c5 6c 24 93 d6-ad 0a c3 4e 86 a2 e6 28
.\..l$.....N...(<br>
0090 - 8c b1 a9 55 f0 01 6d ab-a2 44 52 b3 37 d6 9e 5a
...U..m..DR.7..Z<br>
00a0 - 0c b8 1d 5b 6d 10 13 db-31 2b 4c 1a e4 46 36 84
...[m...1+L..F6.<br>
<br>
Start Time: 1460486320<br>
Timeout : 300 (sec)<br>
Verify return code: 0 (ok)<br>
- ---<br>
<br>
13.04.16 0:19, Eliezer Croitoru пишет:<br>
<span style="white-space: pre;">> Hey Yuri,<br>
><br>
> I will try to test it with couple versions of 4.0.x.<br>
> But it's weird...<br>
> The reason it's weird is since some kind of trust or
understand this test:<br>
>
<a class="moz-txt-link-freetext" href="https://www.ssllabs.com/ssltest/analyze.html?d=www.cloudflare.com&s=198.41.214.162&latest">https://www.ssllabs.com/ssltest/analyze.html?d=www.cloudflare.com&s=198.41.214.162&latest</a><br>
><br>
> I am not an SSL expert in general but I can use openssl
client to test and verify things.<br>
> I have tested this scenario with openssl like this:<br>
> # openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect
<a class="moz-txt-link-abbreviated" href="http://www.cloudflare.com:443">www.cloudflare.com:443</a><br>
> CONNECTED(00000003)<br>
> 139990857013152:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:744:<br>
> ---<br>
> no peer certificate available<br>
> ---<br>
> No client certificate CA names sent<br>
> ---<br>
> SSL handshake has read 7 bytes and written 119 bytes<br>
> ---<br>
> New, (NONE), Cipher is (NONE)<br>
> Secure Renegotiation IS NOT supported<br>
> Compression: NONE<br>
> Expansion: NONE<br>
> ---<br>
><br>
> And it seems that openssl does something which might be my
fault but if squid 3.5.16 works fine with it and 4.0.8 it might be
connected to the connection between openssl library to the service
and squid only displays the issue in the nice html page.<br>
> I do not know what service cloudflare uses and how it all
works but if openssl states that there is an issue with what the
service is either sending or itself analyzing then the issue is in
the openssl level rather then squid.<br>
><br>
> I am sure that both cloudflare and openssl and squid users,
admins and devs wants to resolve the issue.<br>
><br>
> Eliezer<br>
><br>
> On 12/04/2016 18:29, Yuri Voinov wrote:<br>
>><br>
> UPDATE:<br>
><br>
> Every failed connect produce the next sequence in access.log:<br>
><br>
> 1460474791.631 15444 192.168.100.103 NONE_ABORTED/200 0
CONNECT 198.41.215.162:443 - ORIGINAL_DST/198.41.215.162 -<br>
> 1460474791.658 0 192.168.100.103 NONE/503 3951 GET
<a class="moz-txt-link-freetext" href="https://www.cloudflare.com/*">https://www.cloudflare.com/*</a> - HIER_NONE/- text/html<br>
><br>
> Note: 198.41.215.162 is current cloudflare.com IP.<br>
><br>
> Also: NONE_ABORTED/200 is often occurs in access.log with
another accessible sites.<br>
><br>
> 12.04.16 20:03, Yuri Voinov пишет:<br>
><br>
><br>
> > UPDATE:<br>
><br>
><br>
><br>
> > <a class="moz-txt-link-freetext" href="https://i1.someimage.com/b8w5dFz.png">https://i1.someimage.com/b8w5dFz.png</a><br>
><br>
><br>
><br>
> > This is answer from Cloudflare support.<br>
><br>
><br>
><br>
> > But: 3.5.16 can deal with ECDSA TLS 1.2 but 4.0.8
not?<br>
><br>
><br>
><br>
> > 12.04.16 17:55, Yuri Voinov пишет:<br>
><br>
> > > Does anybody faces this problem with 4.0.8:<br>
><br>
><br>
><br>
> > > <a class="moz-txt-link-freetext" href="https://i1.someimage.com/3lD2cvV.png">https://i1.someimage.com/3lD2cvV.png</a><br>
><br>
><br>
><br>
> > > ?<br>
><br>
><br>
><br>
> > > It accomplished this error in cache.log:<br>
><br>
><br>
><br>
> > > 2016/04/12 17:39:38 kid1| Error negotiating
SSL on FD<br>
> 54:<br>
><br>
> > error:00000000:lib(0):func(0):reason(0) (5/0/0)<br>
><br>
><br>
><br>
> > > and "NONE/503" in access.log.<br>
><br>
><br>
><br>
> > > Without proxy works like sharm. 3.5.16 with
the similar<br>
> squid.conf<br>
><br>
> > works like sharm.<br>
><br>
><br>
><br>
> > > NB: Cloudflare support said, that they key
feature for<br>
> SSL is SNI and<br>
><br>
> > ECDSA now. AFAIK, 4.0.8 is fully supports this
features.<br>
><br>
><br>
><br>
> > > Any advice will be helpful.<br>
><br>
><br>
><br>
> > > Yes, I know this looks like DDoS protection
on<br>
> Cloudflare. But WTF?<br>
><br>
> > Any workaround required. Half-Internet is hosted
on<br>
> Cloudflare.<br>
><br>
><br>
><br>
> > > WBR, Yuri<br>
><br>
><br>
><br>
><br>
><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> squid-users mailing list<br>
>> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
>> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJXDUDWAAoJENNXIZxhPexGKC8IAMyl3KxLSB89wgvI8THpMgAH
<br>
MKyv6PiSOk6IyXc3w0bbk/H6CpbJZZReOA7HWX8uUNy2zfzq/KGZsOUFpuC1WCR+
<br>
J7DbGDWjQbPm8BiYPLOtfziY/yvCiON7N0Iw9VTfu8JmjZ/1Dkn+PLMhphNWxZ0K
<br>
gCKukIl8/RQcy8VPSntVriKD43kEsSR854GbJq57DfUgZbBGmo7IKCRepHpijjyj
<br>
0GyVtwhI24rgMRasmoOIr6QK6x6+zom3RkusZCQs3u0U1vpqHI70R9eiPbORgiYS
<br>
mkX9CQtN6rOlZtDgtZ7ZFuSzO2TWSTRAYBXArdov4CsWjTP+YsxT9TJ5cLhKopk=
<br>
=IoWl
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>