[squid-users] Squid 4: Cloudflare SSL connection problem

Amos Jeffries squid3 at treenet.co.nz
Fri Apr 15 09:17:19 UTC 2016


On 15/04/2016 6:31 a.m., Yuri Voinov wrote:
> 
> Ok, nobody.
> 
> Well.
> 
> I've done my own research.
> 
> My suggestions:
> 
> CloudFlare now uses it's own custom OpenSSL 1.0.2 with very custom
> patches with CHACHA Poly support.
> 
> This patches is not in upstream. Moreover, OpenSSL team no plans in the
> foreseeable future to support the latest ciphers.
> 
> So, Squid 4 can't handshake TLS with CF right now. Possible it is Squid
> 4.x branch bug. Because of 3.5.x does CF handshake.
> 
> LibreSSL does CHACHA right now.
> 
> The question is:
> 
> Amos, does Squid can support LibreSSL and, if no, when you plan to support?

Yes Squid does support LibreSSL. You can build against it with the
--with-openssl configure option, maybe using a =path parameter to ensure
it dont find an OpenSSL install.

The difference between LibreSSL and OpenSSL is likely to be more visible
in the squid.conf settings that it will accept and those that it
rejects. They are still basically the same but I know that the LibreSSL
guys are being very proactive removing old things like SSLv2 support. So
those config options wont work even when Squid-3.5 normally would
accepts them with OpenSSL.

Amos


More information about the squid-users mailing list