[squid-users] Squid 3.5 Forward Secrecy on https_port

dweimer dweimer at dweimer.net
Wed Aug 12 20:22:22 UTC 2015 

I am trying to see if I have found another Squid 3.5.x issue with 
FreeBSD 10, or if I just have something set wrong on my https_port 
settings.

The server I am testing with is currently running FreeBSD 10.2-RC3, with 
Squid 3.5.7, and LibreSSL 2.2.2. The Apache 2.4.16 server behind squid 
is using the same cipher list settings, and the same LibreSSL 2.2.2 
library, and the same certificate file.

Here is the squid https_port line.

https_port 443 accel defaultsite=www.dweimer.net \
  cert=/common/GoDaddy.Cert/dweimer.net.gd.bundle.crt \
  key=/common/GoDaddy.Cert/dweimer.net.key \
  options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
  dhparams=dh.params \
  cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4 \
  vhost

Apache SSL Configuration
SSLHonorCipherOrder On
SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4
SSLCertificateFile "/common/GoDaddy.Cert/dweimer.net.gd.bundle.crt"
SSLCertificateKeyFile "/common/GoDaddy.Cert/dweimer.net.key"

Apache test:
openssl s_client -tlsv1_2 -connect 192.168.5.2:443
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-CHACHA20-POLY1305
...

Squid test:
openssl s_client -tlsv1_2 -connect 192.168.5.2:443
...
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : AES256-GCM-SHA384
...

Squid Test with cipher from Apache specified:
openssl s_client -tls1_2 -cipher ECDHE-RSA-CHACHA20-POLY1305 -connect 
192.168.5.3:443
CONNECTED(00000003)
34381405160:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert 
handshake failure:s3_pkt.c:1133:SSL alert number 40
34381405160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
failure:s3_pkt.c:522:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : 0000
...

Squid does however use this cipher when connecting to the Apache server, 
even though the client isn't using a forward secrecy capable cipher 
(TLS_RSA_WITH_AES_256_CBC_SHA TLS1.2 reported by Firefox), determined by 
using a script with the PHP $_SERVER predefined variable connected 
through the reverse proxy.
SERVER_PROTOCOL  HTTP/1.1
SERVER_SOFTWARE  Apache/2.4.16 (FreeBSD) LibreSSL/2.2.2 SVN/1.8.14 
PHP/5.6.11
SSL_CIPHER       ECDHE-RSA-CHACHA20-POLY1305

Does anyone see something missing in my https_port configuration that is 
causing it to not use the ECDHE keys?

-- 
Thanks,
    Dean E. Weimer
    http://www.dweimer.net/

More information about the squid-users mailing list