[squid-users] Squid 3.5 Forward Secrecy on https_port
dweimer
dweimer at dweimer.net
Wed Aug 12 20:22:22 UTC 2015
I am trying to see if I have found another Squid 3.5.x issue with
FreeBSD 10, or if I just have something set wrong on my https_port
settings.
The server I am testing with is currently running FreeBSD 10.2-RC3, with
Squid 3.5.7, and LibreSSL 2.2.2. The Apache 2.4.16 server behind squid
is using the same cipher list settings, and the same LibreSSL 2.2.2
library, and the same certificate file.
Here is the squid https_port line.
https_port 443 accel defaultsite=www.dweimer.net \
cert=/common/GoDaddy.Cert/dweimer.net.gd.bundle.crt \
key=/common/GoDaddy.Cert/dweimer.net.key \
options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
dhparams=dh.params \
cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4 \
vhost
Apache SSL Configuration
SSLHonorCipherOrder On
SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4
SSLCertificateFile "/common/GoDaddy.Cert/dweimer.net.gd.bundle.crt"
SSLCertificateKeyFile "/common/GoDaddy.Cert/dweimer.net.key"
Apache test:
openssl s_client -tlsv1_2 -connect 192.168.5.2:443
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
...
Squid test:
openssl s_client -tlsv1_2 -connect 192.168.5.2:443
...
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
...
Squid Test with cipher from Apache specified:
openssl s_client -tls1_2 -cipher ECDHE-RSA-CHACHA20-POLY1305 -connect
192.168.5.3:443
CONNECTED(00000003)
34381405160:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1133:SSL alert number 40
34381405160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:522:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
...
Squid does however use this cipher when connecting to the Apache server,
even though the client isn't using a forward secrecy capable cipher
(TLS_RSA_WITH_AES_256_CBC_SHA TLS1.2 reported by Firefox), determined by
using a script with the PHP $_SERVER predefined variable connected
through the reverse proxy.
SERVER_PROTOCOL HTTP/1.1
SERVER_SOFTWARE Apache/2.4.16 (FreeBSD) LibreSSL/2.2.2 SVN/1.8.14
PHP/5.6.11
SSL_CIPHER ECDHE-RSA-CHACHA20-POLY1305
Does anyone see something missing in my https_port configuration that is
causing it to not use the ECDHE keys?
--
Thanks,
Dean E. Weimer
http://www.dweimer.net/
More information about the squid-users
mailing list