<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
So.<br>
<br>
Still has no ideas?<br>
<br>
16.04.16 22:50, Yuri Voinov пишет:<br>
<span style="white-space: pre;">><br>
> 3.5.16 on *NIX is also has this issue.<br>
><br>
> Only 3.5.16 Win64 is works like sharm.<br>
><br>
> 16.04.16 17:18, Yuri Voinov пишет:<br>
> > mozilla.org now has the same issue on Squid 4 like
CloudFlare:<br>
><br>
> > <a class="moz-txt-link-freetext" href="https://i1.someimage.com/P03GmSY.png">https://i1.someimage.com/P03GmSY.png</a><br>
><br>
> > All ok but handshake does not complete:<br>
><br>
> > root @ cthulhu / # /usr/local/bin/openssl s_client
-connect<br>
> mozilla.org:443 -CApath /etc/ope/csw/ssl/certs<br>
> > CONNECTED(00000003)<br>
> > depth=2 C = US, O = DigiCert Inc, OU = <a class="moz-txt-link-abbreviated" href="http://www.digicert.com">www.digicert.com</a>,
CN = DigiCert<br>
> High Assurance EV Root CA<br>
> > verify return:1<br>
> > depth=1 C = US, O = DigiCert Inc, OU = <a class="moz-txt-link-abbreviated" href="http://www.digicert.com">www.digicert.com</a>,
CN = DigiCert<br>
> High Assurance EV CA-1<br>
> > verify return:1<br>
> > depth=0 businessCategory = Private Organization,<br>
> 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 =
California,<br>
> serialNumber = C2543436, street = 650 Castro St Ste 300,
postalCode =<br>
> 94041, C = US, ST = California, L = Mountain View, O =
Mozilla<br>
> Foundation, CN = <a class="moz-txt-link-abbreviated" href="http://www.mozilla.org">www.mozilla.org</a><br>
> > verify return:1<br>
> > ---<br>
> > Certificate chain<br>
> > 0 s:/businessCategory=Private<br>
>
Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650<br>
> Castro St Ste
300/postalCode=94041/C=US/ST=California/L=Mountain<br>
> View/O=Mozilla Foundation/CN=www.mozilla.org<br>
> > i:/C=US/O=DigiCert
Inc/OU=www.digicert.com/CN=DigiCert High<br>
> Assurance EV CA-1<br>
> > 1 s:/C=US/O=DigiCert
Inc/OU=www.digicert.com/CN=DigiCert High<br>
> Assurance EV CA-1<br>
> > i:/C=US/O=DigiCert
Inc/OU=www.digicert.com/CN=DigiCert High<br>
> Assurance EV Root CA<br>
> > ---<br>
> > Server certificate<br>
> > -----BEGIN CERTIFICATE-----<br>
> >
MIIHWTCCBkGgAwIBAgIQBQ5gs8e9nTbV62rD+8G95jANBgkqhkiG9w0BAQUFADBp<br>
> >
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3<br>
> >
d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j<br>
> >
ZSBFViBDQS0xMB4XDTE1MTEyNDAwMDAwMFoXDTE2MTIyOTEyMDAwMFowggEFMR0w<br>
> >
GwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJV<br>
> >
UzEbMBkGCysGAQQBgjc8AgECEwpDYWxpZm9ybmlhMREwDwYDVQQFEwhDMjU0MzQz<br>
> >
NjEeMBwGA1UECRMVNjUwIENhc3RybyBTdCBTdGUgMzAwMQ4wDAYDVQQREwU5NDA0<br>
> >
MTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v<br>
> >
dW50YWluIFZpZXcxGzAZBgNVBAoTEk1vemlsbGEgRm91bmRhdGlvbjEYMBYGA1UE<br>
> >
AxMPd3d3Lm1vemlsbGEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC<br>
> >
AQEAuHHB4NGHII28Vm4WrSFjZN5YM0bEBuVbPcwbwBAEinRe9Iwwwye359vVs24o<br>
> >
5YRnSkjkJYfrXHEb8f836GXBotN1xcxsrOi7brTJcA4qeE5ntby6V6wdlxKEy5mt<br>
> >
2Fd9P7wl9v1UlXmHyFxpF9UlDDoSuiDGUO+Q0U9lipKOrKoA3Q1Uzp/ntwrZL01B<br>
> >
V4AUgTQf6b1HLu3ZD8CUG9xrq4Isi4OIMaJQX+kVwrQqxLe3Ahmjq9uP2iXAiLf7<br>
> >
aVluTyFgfAfvv1/pf0193zgQoe0oGDReh5/QrbO6j+XtV2sHDnDen+mQO2/GNwET<br>
> >
fQPCIKIroGf4JUnftt7Cwz1KmQIDAQABo4IDXTCCA1kwHwYDVR0jBBgwFoAUTFjL<br>
> >
JfBBT1L0KMiBQ5umqKDmkuUwHQYDVR0OBBYEFIPU1A81pLqLvmE3YsGWDTbHxzc5<br>
> >
MCcGA1UdEQQgMB6CD3d3dy5tb3ppbGxhLm9yZ4ILbW96aWxsYS5vcmcwDgYDVR0P<br>
> >
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBjBgNVHR8E<br>
> >
XDBaMCugKaAnhiVodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vZXZjYTEtZzUuY3Js<br>
> >
MCugKaAnhiVodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vZXZjYTEtZzUuY3JsMEsG<br>
> >
A1UdIAREMEIwNwYJYIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3<br>
> >
LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQEwfQYIKwYBBQUHAQEEcTBvMCQGCCsG<br>
> >
AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRwYIKwYBBQUHMAKGO2h0<br>
> >
dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VF<br>
> >
VkNBLTEuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoB<br>
> >
aAB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABUTfFoGwAAAQD<br>
> >
AEcwRQIgPZSqJS9xxOfr4sFkB73ocAWRnHK4/fgEkIvVubEtLwkCIQDIXB59Y1A4<br>
> >
SgdJPmwIeRXjshq7jkmz7mgc0Nap53UG2AB2AGj2mPgfZIK+OozuuSgdTPxxUV1n<br>
> >
k9RE0QpnrLtPT/vEAAABUTfFoJ0AAAQDAEcwRQIgUGvntxlKFSY7iveb6BCCdGhs<br>
> >
28DU5EF1TcFH4DHAnX0CIQDstuSiKY0gs3YJ6x4S+GOxuK7V/8zEhNF7vEYADCPX<br>
> >
6QB2AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABUTfFoVUAAAQD<br>
> >
AEcwRQIhAInj1bkZoUGmg39jrIN0z9tAmjPPc39UW3X/xP49q3C1AiBLG+iv0BKe<br>
> >
sbUPcoFF6DYlr+rp7fbplMYNT60UnVAlrTANBgkqhkiG9w0BAQUFAAOCAQEAvc7m<br>
> >
sTP08cANcDPsPyEKXAvv9CW1ugYLUK4XC/JylqCiluDYbgazfjRTraTbDNlmXk+Y<br>
> >
SEVBFGJX005hIhn/qztA/+p2XEcnMJWy1cyCflxdQKWn51XGhN1jlTAa31Ps7WI/<br>
> >
YPAL2taqn5EBDtUFT5790/ve09Fnyhh6elnXuy9ujJRCuVn+oXTtKlhVrIjEjzZ9<br>
> >
zFyyv3SaTWX9xb9MBfOPaO6cGihHjhAo4mj3X6fJsvEnNGqs/NJXCpwiprjbidjL<br>
> >
yeKPUhN2/hSSDAmzFd4X+B1Xx7cUXWkJHQrfosFSoiRDYmX/JnAgr0ObibjKuWPV<br>
> > 9Rs6HCB6QKS3grfX/w==<br>
> > -----END CERTIFICATE-----<br>
> > subject=/businessCategory=Private<br>
>
Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650<br>
> Castro St Ste
300/postalCode=94041/C=US/ST=California/L=Mountain<br>
> View/O=Mozilla Foundation/CN=www.mozilla.org<br>
> > issuer=/C=US/O=DigiCert
Inc/OU=www.digicert.com/CN=DigiCert High<br>
> Assurance EV CA-1<br>
> > ---<br>
> > No client certificate CA names sent<br>
> > ---<br>
> > SSL handshake has read 4163 bytes and written 446 bytes<br>
> > ---<br>
> > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256<br>
> > Server public key is 2048 bit<br>
> > Secure Renegotiation IS supported<br>
> > Compression: NONE<br>
> > Expansion: NONE<br>
> > No ALPN negotiated<br>
> > SSL-Session:<br>
> > Protocol : TLSv1.2<br>
> > Cipher : ECDHE-RSA-AES128-GCM-SHA256<br>
> > Session-ID:<br>
>
E32E470329327A2E39ADDEB384FBB9D351103F1BBA798A47EBFFF121C5001CCA<br>
> > Session-ID-ctx:<br>
> > Master-Key:<br>
>
D2C6E671DB649951C999E1DF83DC038852215500C57F81E4660AFB7ED96039C76E8A384F3ED78A44BBD129C56DD6F45B<br>
> > Start Time: 1460805325<br>
> > Timeout : 300 (sec)<br>
> > Verify return code: 0 (ok)<br>
> > ---<br>
><br>
> > access.log also got NONE/503:<br>
><br>
> > 1460805179.734 0 192.168.100.103 NONE/503 3944 GET<br>
> <a class="moz-txt-link-freetext" href="https://www.mozilla.org/favicon.ico">https://www.mozilla.org/favicon.ico</a> - HIER_NONE/- text/html<br>
><br>
> > and cache.log:<br>
><br>
> > 2016/04/16 17:12:59 kid1| Error negotiating SSL on FD
56:<br>
> error:00000000:lib(0):func(0):reason(0) (5/0/0)<br>
><br>
> > 15.04.16 15:17, Amos Jeffries пишет:<br>
> >> On 15/04/2016 6:31 a.m., Yuri Voinov wrote:<br>
> >>> Ok, nobody.<br>
> >>><br>
> >>> Well.<br>
> >>><br>
> >>> I've done my own research.<br>
> >>><br>
> >>> My suggestions:<br>
> >>><br>
> >>> CloudFlare now uses it's own custom OpenSSL
1.0.2 with very custom<br>
> >>> patches with CHACHA Poly support.<br>
> >>><br>
> >>> This patches is not in upstream. Moreover,
OpenSSL team no plans in the<br>
> >>> foreseeable future to support the latest
ciphers.<br>
> >>><br>
> >>> So, Squid 4 can't handshake TLS with CF right
now. Possible it is Squid<br>
> >>> 4.x branch bug. Because of 3.5.x does CF
handshake.<br>
> >>><br>
> >>> LibreSSL does CHACHA right now.<br>
> >>><br>
> >>> The question is:<br>
> >>><br>
> >>> Amos, does Squid can support LibreSSL and, if
no, when you plan to<br>
> support?<br>
> >> Yes Squid does support LibreSSL. You can build
against it with the<br>
> >> --with-openssl configure option, maybe using a =path
parameter to ensure<br>
> >> it dont find an OpenSSL install.<br>
> >><br>
> >> The difference between LibreSSL and OpenSSL is
likely to be more visible<br>
> >> in the squid.conf settings that it will accept and
those that it<br>
> >> rejects. They are still basically the same but I
know that the LibreSSL<br>
> >> guys are being very proactive removing old things
like SSLv2 support. So<br>
> >> those config options wont work even when Squid-3.5
normally would<br>
> >> accepts them with OpenSSL.<br>
> >><br>
> >> Amos<br>
> >> _______________________________________________<br>
> >> squid-users mailing list<br>
> >> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> >> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJXEm6DAAoJENNXIZxhPexGcRgIAKsvCRwsmEyeIKeFy6RN+Bui
<br>
DKzfFn5iOLb9IZeG+dBAyDKVXeOey5IHqP+ACwQIjvxdh2NPNVbVvryqZohjCf6n
<br>
mMF5RPrSrpi6pxiN3ptC5HDlWrI3DmQ1nqhMm/gvO0Iw2WYNLyQlxD7SD03f43IX
<br>
uKJdW+Q2REO5ulSG70mY3WT+D+02tR3WHVXxhs6na+xts+y7Yw9cO8NNxuhk+fqK
<br>
LfWc1LWevwmBLEsXSiosfQxwRmpRA2e83jRbg/MbmqUjJHA3Gpbw2q3n3Wfh7cJJ
<br>
QgYAuzpAk/fLHeKQ2sWwUKP+eD+4Lt7SrWL/8jWEYZ4npO6jOzh+u2F5XZlPSzA=
<br>
=/UXE
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>