[squid-users] Squid 4: Cloudflare SSL connection problem
Yuri Voinov
yvoinov at gmail.com
Sat Apr 16 11:18:17 UTC 2016
mozilla.org now has the same issue on Squid 4 like CloudFlare:
https://i1.someimage.com/P03GmSY.png
All ok but handshake does not complete:
root @ cthulhu / # /usr/local/bin/openssl s_client -connect
mozilla.org:443 -CApath /etc/ope/csw/ssl/certs
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
High Assurance EV CA-1
verify return:1
depth=0 businessCategory = Private Organization,
1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = California,
serialNumber = C2543436, street = 650 Castro St Ste 300, postalCode =
94041, C = US, ST = California, L = Mountain View, O = Mozilla
Foundation, CN = www.mozilla.org
verify return:1
---
Certificate chain
0 s:/businessCategory=Private
Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650
Castro St Ste 300/postalCode=94041/C=US/ST=California/L=Mountain
View/O=Mozilla Foundation/CN=www.mozilla.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV CA-1
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV CA-1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHWTCCBkGgAwIBAgIQBQ5gs8e9nTbV62rD+8G95jANBgkqhkiG9w0BAQUFADBp
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBDQS0xMB4XDTE1MTEyNDAwMDAwMFoXDTE2MTIyOTEyMDAwMFowggEFMR0w
GwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJV
UzEbMBkGCysGAQQBgjc8AgECEwpDYWxpZm9ybmlhMREwDwYDVQQFEwhDMjU0MzQz
NjEeMBwGA1UECRMVNjUwIENhc3RybyBTdCBTdGUgMzAwMQ4wDAYDVQQREwU5NDA0
MTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v
dW50YWluIFZpZXcxGzAZBgNVBAoTEk1vemlsbGEgRm91bmRhdGlvbjEYMBYGA1UE
AxMPd3d3Lm1vemlsbGEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAuHHB4NGHII28Vm4WrSFjZN5YM0bEBuVbPcwbwBAEinRe9Iwwwye359vVs24o
5YRnSkjkJYfrXHEb8f836GXBotN1xcxsrOi7brTJcA4qeE5ntby6V6wdlxKEy5mt
2Fd9P7wl9v1UlXmHyFxpF9UlDDoSuiDGUO+Q0U9lipKOrKoA3Q1Uzp/ntwrZL01B
V4AUgTQf6b1HLu3ZD8CUG9xrq4Isi4OIMaJQX+kVwrQqxLe3Ahmjq9uP2iXAiLf7
aVluTyFgfAfvv1/pf0193zgQoe0oGDReh5/QrbO6j+XtV2sHDnDen+mQO2/GNwET
fQPCIKIroGf4JUnftt7Cwz1KmQIDAQABo4IDXTCCA1kwHwYDVR0jBBgwFoAUTFjL
JfBBT1L0KMiBQ5umqKDmkuUwHQYDVR0OBBYEFIPU1A81pLqLvmE3YsGWDTbHxzc5
MCcGA1UdEQQgMB6CD3d3dy5tb3ppbGxhLm9yZ4ILbW96aWxsYS5vcmcwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBjBgNVHR8E
XDBaMCugKaAnhiVodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vZXZjYTEtZzUuY3Js
MCugKaAnhiVodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vZXZjYTEtZzUuY3JsMEsG
A1UdIAREMEIwNwYJYIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQEwfQYIKwYBBQUHAQEEcTBvMCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRwYIKwYBBQUHMAKGO2h0
dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VF
VkNBLTEuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoB
aAB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABUTfFoGwAAAQD
AEcwRQIgPZSqJS9xxOfr4sFkB73ocAWRnHK4/fgEkIvVubEtLwkCIQDIXB59Y1A4
SgdJPmwIeRXjshq7jkmz7mgc0Nap53UG2AB2AGj2mPgfZIK+OozuuSgdTPxxUV1n
k9RE0QpnrLtPT/vEAAABUTfFoJ0AAAQDAEcwRQIgUGvntxlKFSY7iveb6BCCdGhs
28DU5EF1TcFH4DHAnX0CIQDstuSiKY0gs3YJ6x4S+GOxuK7V/8zEhNF7vEYADCPX
6QB2AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABUTfFoVUAAAQD
AEcwRQIhAInj1bkZoUGmg39jrIN0z9tAmjPPc39UW3X/xP49q3C1AiBLG+iv0BKe
sbUPcoFF6DYlr+rp7fbplMYNT60UnVAlrTANBgkqhkiG9w0BAQUFAAOCAQEAvc7m
sTP08cANcDPsPyEKXAvv9CW1ugYLUK4XC/JylqCiluDYbgazfjRTraTbDNlmXk+Y
SEVBFGJX005hIhn/qztA/+p2XEcnMJWy1cyCflxdQKWn51XGhN1jlTAa31Ps7WI/
YPAL2taqn5EBDtUFT5790/ve09Fnyhh6elnXuy9ujJRCuVn+oXTtKlhVrIjEjzZ9
zFyyv3SaTWX9xb9MBfOPaO6cGihHjhAo4mj3X6fJsvEnNGqs/NJXCpwiprjbidjL
yeKPUhN2/hSSDAmzFd4X+B1Xx7cUXWkJHQrfosFSoiRDYmX/JnAgr0ObibjKuWPV
9Rs6HCB6QKS3grfX/w==
-----END CERTIFICATE-----
subject=/businessCategory=Private
Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650
Castro St Ste 300/postalCode=94041/C=US/ST=California/L=Mountain
View/O=Mozilla Foundation/CN=www.mozilla.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV CA-1
---
No client certificate CA names sent
---
SSL handshake has read 4163 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
E32E470329327A2E39ADDEB384FBB9D351103F1BBA798A47EBFFF121C5001CCA
Session-ID-ctx:
Master-Key:
D2C6E671DB649951C999E1DF83DC038852215500C57F81E4660AFB7ED96039C76E8A384F3ED78A44BBD129C56DD6F45B
Start Time: 1460805325
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
access.log also got NONE/503:
1460805179.734 0 192.168.100.103 NONE/503 3944 GET
https://www.mozilla.org/favicon.ico - HIER_NONE/- text/html
and cache.log:
2016/04/16 17:12:59 kid1| Error negotiating SSL on FD 56:
error:00000000:lib(0):func(0):reason(0) (5/0/0)
15.04.16 15:17, Amos Jeffries пишет:
> On 15/04/2016 6:31 a.m., Yuri Voinov wrote:
>> Ok, nobody.
>>
>> Well.
>>
>> I've done my own research.
>>
>> My suggestions:
>>
>> CloudFlare now uses it's own custom OpenSSL 1.0.2 with very custom
>> patches with CHACHA Poly support.
>>
>> This patches is not in upstream. Moreover, OpenSSL team no plans in the
>> foreseeable future to support the latest ciphers.
>>
>> So, Squid 4 can't handshake TLS with CF right now. Possible it is Squid
>> 4.x branch bug. Because of 3.5.x does CF handshake.
>>
>> LibreSSL does CHACHA right now.
>>
>> The question is:
>>
>> Amos, does Squid can support LibreSSL and, if no, when you plan to support?
> Yes Squid does support LibreSSL. You can build against it with the
> --with-openssl configure option, maybe using a =path parameter to ensure
> it dont find an OpenSSL install.
>
> The difference between LibreSSL and OpenSSL is likely to be more visible
> in the squid.conf settings that it will accept and those that it
> rejects. They are still basically the same but I know that the LibreSSL
> guys are being very proactive removing old things like SSLv2 support. So
> those config options wont work even when Squid-3.5 normally would
> accepts them with OpenSSL.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list