[squid-users] Squid 4: Cloudflare SSL connection problem
Yuri Voinov
yvoinov at gmail.com
Thu Apr 14 20:21:50 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Strange:
connect directly from server via wget using proxy is works:
root @ cthulhu /tmp # wget -S https://cloudflare.com
- --2016-04-15 02:19:41-- https://cloudflare.com/
Connecting to 127.0.0.1:3128... connected.
Proxy request sent, awaiting response...
HTTP/1.1 302 Moved Temporarily
Server: cloudflare-nginx
Date: Thu, 14 Apr 2016 20:19:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dfeddf543b09766778140e887d88543c71460665181;
expires=Fri, 14-Apr-17 20:19:41 GMT; path=/; domain=.cloudflare.com;
HttpOnly
Cache-Control: private, max-age=0, no-store, no-cache,
must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Location: https://www.cloudflare.com/
CF-RAY: 2939daab044b2654-FRA
Location: https://www.cloudflare.com/ [following]
- --2016-04-15 02:19:41-- https://www.cloudflare.com/
Connecting to 127.0.0.1:3128... connected.
Proxy request sent, awaiting response...
HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Thu, 14 Apr 2016 20:19:42 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Thu, 14 Apr 2016 19:46:02 GMT
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' https://*; script-src
'self' 'unsafe-inline' 'unsafe-eval' https://* data:; img-src 'self'
https://* data:; style-src 'self' 'unsafe-inline' https://*; font-src
'self' https://* data:; frame-src https://*; connect-src 'self' data:
https://*
X-XSS-Protection: 1; mode=block
CF-Cache-Status: HIT
Vary: Accept-Encoding
Expires: Fri, 15 Apr 2016 00:19:42 GMT
Cache-Control: public, max-age=14400
CF-RAY: 2939daae503c0f75-FRA
Length: unspecified [text/html]
Saving to: 'index.html.1'
index.html.1 [ <=> ] 15.23K --.-KB/s in
0.1s
2016-04-15 02:19:42 (121 KB/s) - 'index.html.1' saved [15597]
But clients behind proxy can't handshake.
15.04.16 0:40, Yuri Voinov пишет:
>
> Finally.
>
> 1. Squid 4 can be built with LibreSSL.
> 2. Squid 4 with LibreSSL start supporting CHACHA20_POLY1305 cryptography.
> 3. Squid 4 with LibreSSL still can't connect with CloudFlare itself.
>
> WBR, Yuri.
>
> PS. I suggests bug in 4.x branch specific for CF handshake.
>
> 15.04.16 0:31, Yuri Voinov пишет:
>
>
> > Ok, nobody.
>
>
>
> > Well.
>
>
>
> > I've done my own research.
>
>
>
> > My suggestions:
>
>
>
> > CloudFlare now uses it's own custom OpenSSL 1.0.2 with very
> custom patches with CHACHA Poly support.
>
>
>
> > This patches is not in upstream. Moreover, OpenSSL team no
> plans in the foreseeable future to support the latest ciphers.
>
>
>
> > So, Squid 4 can't handshake TLS with CF right now. Possible
> it is Squid 4.x branch bug. Because of 3.5.x does CF handshake.
>
>
>
> > LibreSSL does CHACHA right now.
>
>
>
> > The question is:
>
>
>
> > Amos, does Squid can support LibreSSL and, if no, when you
> plan to support?
>
>
>
> > 14.04.16 20:38, Yuri Voinov пишет:
>
>
>
>
>
> > > Any ideas?
>
>
>
>
>
>
>
> > > Anybody?
>
>
>
>
>
>
>
> > > 13.04.16 2:37, Yuri Voinov пишет:
>
>
>
>
>
>
>
>
>
>
>
> > > > I suggests the matter can be openssl
> not OS:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > root @ cthulhu /patch # openssl version
> -a
>
>
>
>
>
>
>
> > > > OpenSSL 1.0.1s 1 Mar 2016
>
>
>
>
>
>
>
> > > > built on: Tue Mar 1 15:42:26 2016
>
>
>
>
>
>
>
> > > > platform: solaris64-x86_64-cc-sunw
>
>
>
>
>
>
>
> > > > options: bn(64,64) rc4(16x,int)
>
> > des(ptr,cisc,16,int)
>
>
>
> > > idea(int) blowfish(ptr)
>
>
>
>
>
>
>
> > > > compiler: /opt/solarisstudio12.4/bin/cc
> -I. -I..
>
>
>
> > > -I../include -KPIC -DOPENSSL_PIC
> -DOPENSSL_THREADS
>
> > -D_REENTRANT
>
>
>
> > > -DDSO_DLFCN -DHAVE_DLFCN_H
>
>
>
> > >
> -DPK11_LIB_LOCATION="/usr/lib/64/libpkcs11.so"
>
> > -DHAVE_ISSETUGID
>
>
>
> > > -DAV_SPARC_FJAES=0 -xO3 -m64 -xstrconst -Xa
> -DL_ENDIAN
>
>
>
> > > -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
>
> > -DOPENSSL_BN_ASM_MONT5
>
>
>
> > > -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM
> -DSHA256_ASM
>
> > -DSHA512_ASM
>
>
>
> > > -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM
>
> > -DWHIRLPOOL_ASM
>
>
>
> > > -DGHASH_ASM
>
>
>
>
>
>
>
> > > > OPENSSLDIR: "/etc/opt/csw/ssl"
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > 13.04.16 2:29, Yuri Voinov пишет:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > root @ cthulhu /patch # dig
>
> > www.cloudflare.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > ; <<>> DiG
> 9.6-ESV-R11-P4
>
>
>
> > > <<>>
>
>
>
>
>
>
>
> > > > www.cloudflare.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > ;; global options: +cmd
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > ;; Got answer:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > ;; ->>HEADER<<-
> opcode:
>
> > QUERY, status:
>
>
>
> > > NOERROR,
>
>
>
>
>
>
>
> > > > id: 32548
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > ;; flags: qr rd ra; QUERY:
> 1, ANSWER:
>
> > 2,
>
>
>
> > > AUTHORITY: 0,
>
>
>
>
>
>
>
> > > > ADDITIONAL: 0
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > ;; QUESTION SECTION:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > >
> ;www.cloudflare.com. IN
>
> > A
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > ;; ANSWER SECTION:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > www.cloudflare.com.
> 86400 IN
>
> > A
>
>
>
>
>
>
>
> > > > 198.41.214.162
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > www.cloudflare.com.
> 86400 IN
>
> > A
>
>
>
>
>
>
>
> > > > 198.41.215.162
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > ;; Query time: 538 msec
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > ;; SERVER:
> 127.0.0.1#53(127.0.0.1)
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > ;; WHEN: Wed Apr 13 02:28:34
> ALMT 2016
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > ;; MSG SIZE rcvd: 68
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > root @ cthulhu /patch #
> uname -a
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > SunOS cthulhu 5.10
> Generic_150401-30
>
> > i86pc i386
>
>
>
> > > i86pc Solaris
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > But I think OS does not
> matter here.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > 13.04.16 2:02, Eliezer
> Croitoru пишет:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > > What "dig
> www.cloudflare.com"
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > results with?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > > Also what OS are
> you using?
>
> > I am using
>
>
>
> > > CentOS 7 up
>
>
>
>
>
>
>
> > > > to date...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > > Eliezer
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > > On 12/04/2016
> 21:39, Yuri
>
> > Voinov wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > >> root @
> cthulhu /patch #
>
> > openssl
>
>
>
> > > s_client
>
>
>
>
>
>
>
> > > > -cipher
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > >
> 'ECDHE-ECDSA-AES128-GCM-SHA256'
>
> > -connect
>
>
>
>
>
>
>
> > > > www.cloudflare.com:443
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > >
>
>
>
> > >
> _______________________________________________
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > > squid-users
> mailing list
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > >
>
> > squid-users at lists.squid-cache.org
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > > > >
>
>
>
> > >
> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXD/vdAAoJENNXIZxhPexGHUgIALjkentpBtLulIyNbIlxtLLq
t5YHwsOUP9ZDEA8AieD1HN3DXkno3JFwxGxQ1G5hL/wkbKP685NnmJ+LQeYoEhDC
tyqMQjx1aZfPm0dHv4IpiNrCYw2ViP3lArKp1g36Q6aD6pE98hciOhTkBvgu50b6
yRZGPWV7fHySXjRW+3SuoeLoZ/J7R4sA0MRh9iBpU2HkrQDSrdT70jXMogWDyqey
+/SEGpCBmB8RbvKpL5tJLPqcv9lSa9TRTWSyg1JpKAJHC3w/5dPTgiaE3vcRMiGI
rkd1cpz81PkEb4v5ndTs67watmidy+DB6Xs5LUZV5gq2zOHElXIOXn1rFUPrdNs=
=gN9e
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160415/73fb6fcb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160415/73fb6fcb/attachment-0001.key>
More information about the squid-users
mailing list