<div dir="ltr"><div dir="ltr"> > I am currently squid-cache in hierarchy setup, with TLS enabled throughout.<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> client --> child Squid --> parent Squid --> web server<br>
<br>
>> Do you use SslBump anywhere?<br></blockquote><div> I am not using
SslBump. Part of my child squid config looks like:</div><div> </div>
<div>https_port 3128\<br> accel\<br> no-vhost\<br> defaultsite=origin\<br> cert=/squid/certs/server/cert.pem\<br> key=/squid/certs/server/key.pem\<br> cafile=/squid/certs/server/ca.pem\<br> clientca=/squid/certs/server/ca.pem<br><br>cache_peer\<br> <a href="http://parentsquid.com">parentsquid.com</a>\<br> parent\<br> 3128\<br> 0\<br> no-query\ <br> originserver\<br> no-digest\<br> no-netdb-exchange\<br> login=PASSTHRU\</div><div> tls\<br></div><div> tls-options=NO_TICKET\<br> sslcert=/squid/certs/client/cert.pem\<br> sslkey=/squid/certs/client/key.pem\<br> tls-cafile=/squid/certs/client/ca.pem</div>
<div> <br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
<br>
> Openssl version: 1.0.2k<br>
> This setup is working for 3.5.20.<br>
<br>
> But when I updated to squid 4(tried 4.8, 4.11 and 4.13),<br>
<br>
>> Does all of the above apply to both child and parent Squids? Or just the<br>
>> child?<br></blockquote><div> Following scenarios are working:</div><div> client --> child Squid 3.5.20 --> parent Squid 3.5.20 --> web server <br></div><div>
client --> child Squid 4 --> parent Squid 3.5.20 --> web server</div><div> client --> Squid 4 --> web server
</div><div> <br></div><div> But this scenarios is failing:</div><div> client --> child Squid 4 --> parent Squid 4 --> web server
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
> initial HTTP request goes through, but TLS renegotiation is failing<br>
> between child and parent squid for the following requests.<br>
> <br>
> From the logs, it looks like child squid is trying to initialize TLS<br>
> renegotiating using old TLS session ID, but parent squid is rejecting<br>
> session resumption.<br>
> <br>
> I confirm this behavior using openssl s_client --reconnect option.<br>
> <br>
> I tried to disabled client initialed TLS renegotiating by setting<br>
> tls-options=NO_TICKET (on child squid), but it is affecting the behavior.<br>
<br>
>> Did you mean to say "_not_ affecting the behavior"?<br></blockquote><div> Sorry for typo. Yes, with NO_TICKET set, I am encountering same issue. <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<br>
<br>
> Are there any changes in default TLS renegotiation behavior between<br>
> squid 3.5 and 4.x?<br>
<br>
It is difficult for me to say for sure -- too many changes in the<br>
surrounding code, too long ago. "Maybe" is the best answer I can give.<br>
Hopefully, others can be more specific.<br>
<br>
<br>
> Is there a way to disable the client (child squid) initialized TLS<br>
> renegotiation in squid 4?<br>
<br>
>> OpenSSL v1.1 docs have the following paragraph:<br>
<br>
> By default OpenSSL will use stateless tickets. The SSL_OP_NO_TICKET<br>
> option will cause stateless tickets to not be issued. In TLSv1.2 and<br>
> below this means no ticket gets sent to the client at all. In TLSv1.3<br>
> a stateful ticket will be sent. This is a server-side option only.<br>
>> The last sentence is interesting. However, OpenSSL v1.0 documentation<br>
>> does not have that last caveat. It has another somewhat vague or open to<br>
>> interpretation statement. Perhaps OpenSSL behavior changed with v1.1. In<br>
>> that case, ignore this caveat.<br>
<br>
>> You can try options discussed in the SECURE RENEGOTIATION section of<br>
<a href="https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html" rel="noreferrer" target="_blank">>> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html</a><br>
>> but it is not clear to me whether they apply to your environment.<br></div></blockquote><div><br></div><div> I tried
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION,
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, etc in</div><div> openssl option.<br></div><div> but it did not changed the behaviour.</div><div> Unfortunately, I can't update to OpenSSL v1.1 because of OS dependency issues.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<br></div>
Manoj<br>
</blockquote></div></div>