<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
*NIX means UNIX. Solaris is AT&T UNIX. Linux is not UNIX (C)
Linus Torvalds. :) We are not speaking about all possible OS'es. I
suggests the matter in SSL/TLS, not OS or hands or something
similar.<br>
<br>
The problem is in CF, I think. As a maximum in peek-n-splice.<br>
<br>
<br>
Because of I've not changed my squid.conf over last year, but
approx. in january 2016 CloudFlare stopped work via proxy, as said
my field SA. AFAIK, CF change own security settings. Also, I
suggests, mozilla .org also moved behind CF.<br>
<br>
Ok, let's talk about squid.conf. SSL-related rows are here:<br>
<br>
# SSL bump rules<br>
acl DiscoverSNIHost at_step SslBump1<br>
acl NoSSLIntercept ssl::server_name_regex -i
"/usr/local/squid/etc/url.nobump"<br>
acl NoSSLIntercept ssl::server_name_regex -i
"/usr/local/squid/etc/url.tor"<br>
ssl_bump peek DiscoverSNIHost<br>
ssl_bump splice NoSSLIntercept<br>
ssl_bump bump all<br>
<br>
http_port 3126 intercept<br>
https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
key=/usr/local/squid/etc/rootCA.key
options=SINGLE_DH_USE,SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS<br>
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
key=/usr/local/squid/etc/rootCA.key
options=SINGLE_DH_USE,SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS<br>
tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt
options=SINGLE_DH_USE,SINGLE_ECDH_USE
cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS<br>
sslproxy_foreign_intermediate_certs
/usr/local/squid/etc/intermediate_ca.pem<br>
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB<br>
<br>
I see no anomalies in this lines. Ciphersuite is very relaxed.<br>
<br>
Also, if we discuss a bug - may be better to turn on debug to know,
why 4.x got first NONE_ABORTED/200 during CONNECT phase and then
NONE/503 during TLS negotiate?<br>
<br>
<br>
17.04.16 14:58, Eliezer Croitoru пишет:<br>
<span style="white-space: pre;">> For me it works.<br>
> ...<br>
> The first thing to do is publish the squid.conf with a bug
report and all other related info.<br>
> *NIX doesn't mean CentOS since on CentOS this specific issue
doesn't exit.<br>
> I assume that if it works on CentOS it will work almost the
same for Ubuntu and Debian.<br>
><br>
> Eliezer<br>
><br>
> On 16/04/2016 19:50, Yuri Voinov wrote:<br>
>> 3.5.16 on *NIX is also has this issue.<br>
>><br>
>> Only 3.5.16 Win64 is works like sharm.<br>
><br>
><br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJXE2qQAAoJENNXIZxhPexGD0wH/1SkyQyaa4gHV4AhXf5RrUTM
<br>
oEyGkOcEPwYw6M4+uYgvZ1FzvjrQhS6G8RTH/XrpSZ1utt9nbNSHP+W6FnXyxNPN
<br>
J/bauCQeADWf/NUGLG8GnOMXA9LD7w20ylAwOeLe1MUQJ4DTDT4arwzExkx0kohk
<br>
4mQNqq1Q105lgh0xyUQWF/wt0Uy3hSs2pPjyK4CGPWCbRO2kmYpPANT0ejoglfsF
<br>
uWNYBN5gl4hCd9kVzo0oaVwY2sNUftc1MyYztBpYUQ9WSoHoTnlvAWcWEF7FqHV6
<br>
TIB77Pr2fURIkEIlyLIQJ7weXkueOLI8VJp3EYLX5arDDLwu4tfXKpItHx5Tjd8=
<br>
=eQPH
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>