<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
Strange:<br>
<br>
connect directly from server via wget using proxy is works:<br>
<br>
root @ cthulhu /tmp # wget -S <a class="moz-txt-link-freetext" href="https://cloudflare.com">https://cloudflare.com</a><br>
- --2016-04-15 02:19:41-- <a class="moz-txt-link-freetext" href="https://cloudflare.com/">https://cloudflare.com/</a><br>
Connecting to 127.0.0.1:3128... connected.<br>
Proxy request sent, awaiting response...<br>
HTTP/1.1 302 Moved Temporarily<br>
Server: cloudflare-nginx<br>
Date: Thu, 14 Apr 2016 20:19:41 GMT<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Set-Cookie: __cfduid=dfeddf543b09766778140e887d88543c71460665181;
expires=Fri, 14-Apr-17 20:19:41 GMT; path=/; domain=.cloudflare.com;
HttpOnly<br>
Cache-Control: private, max-age=0, no-store, no-cache,
must-revalidate, post-check=0, pre-check=0<br>
Expires: Thu, 01 Jan 1970 00:00:01 GMT<br>
Location: <a class="moz-txt-link-freetext" href="https://www.cloudflare.com/">https://www.cloudflare.com/</a><br>
CF-RAY: 2939daab044b2654-FRA<br>
Location: <a class="moz-txt-link-freetext" href="https://www.cloudflare.com/">https://www.cloudflare.com/</a> [following]<br>
- --2016-04-15 02:19:41-- <a class="moz-txt-link-freetext" href="https://www.cloudflare.com/">https://www.cloudflare.com/</a><br>
Connecting to 127.0.0.1:3128... connected.<br>
Proxy request sent, awaiting response...<br>
HTTP/1.1 200 OK<br>
Server: cloudflare-nginx<br>
Date: Thu, 14 Apr 2016 20:19:42 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: keep-alive<br>
Last-Modified: Thu, 14 Apr 2016 19:46:02 GMT<br>
Strict-Transport-Security: max-age=31536000<br>
X-Content-Type-Options: nosniff<br>
X-Frame-Options: SAMEORIGIN<br>
Content-Security-Policy: default-src 'self' <a class="moz-txt-link-freetext" href="https://*">https://*</a>; script-src
'self' 'unsafe-inline' 'unsafe-eval' <a class="moz-txt-link-freetext" href="https://*">https://*</a> data:; img-src 'self'
<a class="moz-txt-link-freetext" href="https://*">https://*</a> data:; style-src 'self' 'unsafe-inline' <a class="moz-txt-link-freetext" href="https://*">https://*</a>;
font-src 'self' <a class="moz-txt-link-freetext" href="https://*">https://*</a> data:; frame-src <a class="moz-txt-link-freetext" href="https://*">https://*</a>; connect-src
'self' data: <a class="moz-txt-link-freetext" href="https://*">https://*</a><br>
X-XSS-Protection: 1; mode=block<br>
CF-Cache-Status: HIT<br>
Vary: Accept-Encoding<br>
Expires: Fri, 15 Apr 2016 00:19:42 GMT<br>
Cache-Control: public, max-age=14400<br>
CF-RAY: 2939daae503c0f75-FRA<br>
Length: unspecified [text/html]<br>
Saving to: 'index.html.1'<br>
<br>
index.html.1 [ <=> ] 15.23K
--.-KB/s in 0.1s <br>
<br>
2016-04-15 02:19:42 (121 KB/s) - 'index.html.1' saved [15597]<br>
<br>
But clients behind proxy can't handshake.<br>
<br>
<br>
<br>
15.04.16 0:40, Yuri Voinov пишет:<br>
<span style="white-space: pre;">><br>
> Finally.<br>
><br>
> 1. Squid 4 can be built with LibreSSL.<br>
> 2. Squid 4 with LibreSSL start supporting CHACHA20_POLY1305
cryptography.<br>
> 3. Squid 4 with LibreSSL still can't connect with CloudFlare
itself.<br>
><br>
> WBR, Yuri.<br>
><br>
> PS. I suggests bug in 4.x branch specific for CF handshake.<br>
><br>
> 15.04.16 0:31, Yuri Voinov пишет:<br>
><br>
><br>
> > Ok, nobody.<br>
><br>
><br>
><br>
> > Well.<br>
><br>
><br>
><br>
> > I've done my own research.<br>
><br>
><br>
><br>
> > My suggestions:<br>
><br>
><br>
><br>
> > CloudFlare now uses it's own custom OpenSSL 1.0.2
with very<br>
> custom patches with CHACHA Poly support.<br>
><br>
><br>
><br>
> > This patches is not in upstream. Moreover, OpenSSL
team no<br>
> plans in the foreseeable future to support the latest
ciphers.<br>
><br>
><br>
><br>
> > So, Squid 4 can't handshake TLS with CF right now.
Possible<br>
> it is Squid 4.x branch bug. Because of 3.5.x does CF
handshake.<br>
><br>
><br>
><br>
> > LibreSSL does CHACHA right now.<br>
><br>
><br>
><br>
> > The question is:<br>
><br>
><br>
><br>
> > Amos, does Squid can support LibreSSL and, if no,
when you<br>
> plan to support?<br>
><br>
><br>
><br>
> > 14.04.16 20:38, Yuri Voinov пишет:<br>
><br>
><br>
><br>
><br>
><br>
> > > Any ideas?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > Anybody?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > 13.04.16 2:37, Yuri Voinov пишет:<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > I suggests the matter can be
openssl<br>
> not OS:<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > root @ cthulhu /patch #
openssl version<br>
> -a<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > OpenSSL 1.0.1s 1 Mar 2016<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > built on: Tue Mar 1
15:42:26 2016<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > platform:
solaris64-x86_64-cc-sunw<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > options: bn(64,64)
rc4(16x,int)<br>
><br>
> > des(ptr,cisc,16,int)<br>
><br>
><br>
><br>
> > > idea(int) blowfish(ptr)<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > compiler:
/opt/solarisstudio12.4/bin/cc<br>
> -I. -I..<br>
><br>
><br>
><br>
> > > -I../include -KPIC -DOPENSSL_PIC<br>
> -DOPENSSL_THREADS<br>
><br>
> > -D_REENTRANT<br>
><br>
><br>
><br>
> > > -DDSO_DLFCN -DHAVE_DLFCN_H<br>
><br>
><br>
><br>
> > > <br>
> -DPK11_LIB_LOCATION="/usr/lib/64/libpkcs11.so"<br>
><br>
> > -DHAVE_ISSETUGID<br>
><br>
><br>
><br>
> > > -DAV_SPARC_FJAES=0 -xO3 -m64
-xstrconst -Xa<br>
> -DL_ENDIAN<br>
><br>
><br>
><br>
> > > -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT<br>
><br>
> > -DOPENSSL_BN_ASM_MONT5<br>
><br>
><br>
><br>
> > > -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM<br>
> -DSHA256_ASM<br>
><br>
> > -DSHA512_ASM<br>
><br>
><br>
><br>
> > > -DMD5_ASM -DAES_ASM -DVPAES_ASM
-DBSAES_ASM<br>
><br>
> > -DWHIRLPOOL_ASM<br>
><br>
><br>
><br>
> > > -DGHASH_ASM<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > OPENSSLDIR:
"/etc/opt/csw/ssl"<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > 13.04.16 2:29, Yuri Voinov
пишет:<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > root @ cthulhu
/patch # dig<br>
><br>
> > <a class="moz-txt-link-abbreviated" href="http://www.cloudflare.com">www.cloudflare.com</a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ;
<<>> DiG<br>
> 9.6-ESV-R11-P4<br>
><br>
><br>
><br>
> > > <<>><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > <a class="moz-txt-link-abbreviated" href="http://www.cloudflare.com">www.cloudflare.com</a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ;; global
options: +cmd<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ;; Got answer:<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ;;
->>HEADER<<-<br>
> opcode:<br>
><br>
> > QUERY, status:<br>
><br>
><br>
><br>
> > > NOERROR,<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > id: 32548<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ;; flags: qr rd
ra; QUERY:<br>
> 1, ANSWER:<br>
><br>
> > 2,<br>
><br>
><br>
><br>
> > > AUTHORITY: 0,<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > ADDITIONAL: 0<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ;; QUESTION
SECTION:<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > ><br>
> ;www.cloudflare.com. IN <br>
><br>
> > A<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ;; ANSWER
SECTION:<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > >
<a class="moz-txt-link-abbreviated" href="http://www.cloudflare.com">www.cloudflare.com</a>. <br>
> 86400 IN <br>
><br>
> > A <br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > 198.41.214.162<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > >
<a class="moz-txt-link-abbreviated" href="http://www.cloudflare.com">www.cloudflare.com</a>. <br>
> 86400 IN <br>
><br>
> > A <br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > 198.41.215.162<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ;; Query time:
538 msec<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ;; SERVER:<br>
> 127.0.0.1#53(127.0.0.1)<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ;; WHEN: Wed Apr
13 02:28:34<br>
> ALMT 2016<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ;; MSG SIZE
rcvd: 68<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > root @ cthulhu
/patch #<br>
> uname -a<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > SunOS cthulhu
5.10<br>
> Generic_150401-30<br>
><br>
> > i86pc i386<br>
><br>
><br>
><br>
> > > i86pc Solaris<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > But I think OS
does not<br>
> matter here.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > 13.04.16 2:02,
Eliezer<br>
> Croitoru пишет:<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > > What "dig<br>
> <a class="moz-txt-link-abbreviated" href="http://www.cloudflare.com">www.cloudflare.com</a>"<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > results
with?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > > Also
what OS are<br>
> you using?<br>
><br>
> > I am using<br>
><br>
><br>
><br>
> > > CentOS 7 up<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > to date...<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > >
Eliezer<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > > On
12/04/2016<br>
> 21:39, Yuri<br>
><br>
> > Voinov wrote:<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > >>
root @<br>
> cthulhu /patch #<br>
><br>
> > openssl<br>
><br>
><br>
><br>
> > > s_client<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > -cipher<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > <br>
> 'ECDHE-ECDSA-AES128-GCM-SHA256'<br>
><br>
> > -connect<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > <a class="moz-txt-link-abbreviated" href="http://www.cloudflare.com:443">www.cloudflare.com:443</a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ><br>
><br>
><br>
><br>
> > > <br>
> _______________________________________________<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > >
squid-users<br>
> mailing list<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ><br>
><br>
> > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > ><br>
><br>
><br>
><br>
> > > <br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJXD/vdAAoJENNXIZxhPexGHUgIALjkentpBtLulIyNbIlxtLLq
<br>
t5YHwsOUP9ZDEA8AieD1HN3DXkno3JFwxGxQ1G5hL/wkbKP685NnmJ+LQeYoEhDC
<br>
tyqMQjx1aZfPm0dHv4IpiNrCYw2ViP3lArKp1g36Q6aD6pE98hciOhTkBvgu50b6
<br>
yRZGPWV7fHySXjRW+3SuoeLoZ/J7R4sA0MRh9iBpU2HkrQDSrdT70jXMogWDyqey
<br>
+/SEGpCBmB8RbvKpL5tJLPqcv9lSa9TRTWSyg1JpKAJHC3w/5dPTgiaE3vcRMiGI
<br>
rkd1cpz81PkEb4v5ndTs67watmidy+DB6Xs5LUZV5gq2zOHElXIOXn1rFUPrdNs=
<br>
=gN9e
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>