[squid-users] Squid 4: Cloudflare SSL connection problem
Yuri Voinov
yvoinov at gmail.com
Thu Apr 14 18:40:10 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Finally.
1. Squid 4 can be built with LibreSSL.
2. Squid 4 with LibreSSL start supporting CHACHA20_POLY1305 cryptography.
3. Squid 4 with LibreSSL still can't connect with CloudFlare itself.
WBR, Yuri.
PS. I suggests bug in 4.x branch specific for CF handshake.
15.04.16 0:31, Yuri Voinov пишет:
>
> Ok, nobody.
>
> Well.
>
> I've done my own research.
>
> My suggestions:
>
> CloudFlare now uses it's own custom OpenSSL 1.0.2 with very custom
patches with CHACHA Poly support.
>
> This patches is not in upstream. Moreover, OpenSSL team no plans in
the foreseeable future to support the latest ciphers.
>
> So, Squid 4 can't handshake TLS with CF right now. Possible it is
Squid 4.x branch bug. Because of 3.5.x does CF handshake.
>
> LibreSSL does CHACHA right now.
>
> The question is:
>
> Amos, does Squid can support LibreSSL and, if no, when you plan to
support?
>
> 14.04.16 20:38, Yuri Voinov пишет:
>
>
> > Any ideas?
>
>
>
> > Anybody?
>
>
>
> > 13.04.16 2:37, Yuri Voinov пишет:
>
>
>
>
>
> > > I suggests the matter can be openssl not OS:
>
>
>
>
>
>
>
> > > root @ cthulhu /patch # openssl version -a
>
>
>
> > > OpenSSL 1.0.1s 1 Mar 2016
>
>
>
> > > built on: Tue Mar 1 15:42:26 2016
>
>
>
> > > platform: solaris64-x86_64-cc-sunw
>
>
>
> > > options: bn(64,64) rc4(16x,int)
> des(ptr,cisc,16,int)
>
> > idea(int) blowfish(ptr)
>
>
>
> > > compiler: /opt/solarisstudio12.4/bin/cc -I. -I..
>
> > -I../include -KPIC -DOPENSSL_PIC -DOPENSSL_THREADS
> -D_REENTRANT
>
> > -DDSO_DLFCN -DHAVE_DLFCN_H
>
> > -DPK11_LIB_LOCATION="/usr/lib/64/libpkcs11.so"
> -DHAVE_ISSETUGID
>
> > -DAV_SPARC_FJAES=0 -xO3 -m64 -xstrconst -Xa -DL_ENDIAN
>
> > -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_MONT5
>
> > -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
> -DSHA512_ASM
>
> > -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM
> -DWHIRLPOOL_ASM
>
> > -DGHASH_ASM
>
>
>
> > > OPENSSLDIR: "/etc/opt/csw/ssl"
>
>
>
>
>
>
>
>
>
>
>
> > > 13.04.16 2:29, Yuri Voinov пишет:
>
>
>
>
>
>
>
>
>
>
>
> > > > root @ cthulhu /patch # dig
> www.cloudflare.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > ; <<>> DiG 9.6-ESV-R11-P4
>
> > <<>>
>
>
>
> > > www.cloudflare.com
>
>
>
>
>
>
>
> > > > ;; global options: +cmd
>
>
>
>
>
>
>
> > > > ;; Got answer:
>
>
>
>
>
>
>
> > > > ;; ->>HEADER<<- opcode:
> QUERY, status:
>
> > NOERROR,
>
>
>
> > > id: 32548
>
>
>
>
>
>
>
> > > > ;; flags: qr rd ra; QUERY: 1, ANSWER:
> 2,
>
> > AUTHORITY: 0,
>
>
>
> > > ADDITIONAL: 0
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > ;; QUESTION SECTION:
>
>
>
>
>
>
>
> > > > ;www.cloudflare.com. IN
> A
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > ;; ANSWER SECTION:
>
>
>
>
>
>
>
> > > > www.cloudflare.com. 86400 IN
> A
>
>
>
> > > 198.41.214.162
>
>
>
>
>
>
>
> > > > www.cloudflare.com. 86400 IN
> A
>
>
>
> > > 198.41.215.162
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > ;; Query time: 538 msec
>
>
>
>
>
>
>
> > > > ;; SERVER: 127.0.0.1#53(127.0.0.1)
>
>
>
>
>
>
>
> > > > ;; WHEN: Wed Apr 13 02:28:34 ALMT 2016
>
>
>
>
>
>
>
> > > > ;; MSG SIZE rcvd: 68
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > root @ cthulhu /patch # uname -a
>
>
>
>
>
>
>
> > > > SunOS cthulhu 5.10 Generic_150401-30
> i86pc i386
>
> > i86pc Solaris
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > But I think OS does not matter here.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > 13.04.16 2:02, Eliezer Croitoru пишет:
>
>
>
>
>
>
>
> > > > > What "dig www.cloudflare.com"
>
>
>
>
>
>
>
> > > > results with?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > Also what OS are you using?
> I am using
>
> > CentOS 7 up
>
>
>
> > > to date...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > Eliezer
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > On 12/04/2016 21:39, Yuri
> Voinov wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > >> root @ cthulhu /patch #
> openssl
>
> > s_client
>
>
>
> > > -cipher
>
>
>
>
>
>
>
> > > > 'ECDHE-ECDSA-AES128-GCM-SHA256'
> -connect
>
>
>
> > > www.cloudflare.com:443
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > >
>
> > _______________________________________________
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > squid-users mailing list
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > >
> squid-users at lists.squid-cache.org
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > >
>
> > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXD+QJAAoJENNXIZxhPexGi2UIALGs33SbczbZwpi9DT9gVSzl
j7vU7+0AfyUJCu+m8BOF/rHUdxV+7a3zInIe9ujjoS6zurddjuLiUcIfA3wkIaZp
LwAz3vVZHCixRuUAjvrlilbesdf3a5iHcQt/7H195/R4iZTV/bEHzfWaR7Z6Aq4e
HajrLkPPjGaKTGr0hzrkUoBAFwC5e+VD0tiXxZxy8hNfLqKyKPrsgWfUbjiMV7Wp
41K6hACb8NO5sYob5k79n7+ksbhx7+p4lJMLIIWbzZm4/uBje248yCWzYnFZxeq1
yva0nteVe8WUxIO+eTKoHwKG0g8ZO1OSsET+1LUTiMKV00YX1/dRne67X/6UgAA=
=ja0u
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160415/170ed35c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160415/170ed35c/attachment-0001.key>
More information about the squid-users
mailing list