[squid-users] Squid 4: Cloudflare SSL connection problem

Yuri Voinov yvoinov at gmail.com
Sat Apr 16 16:55:31 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
So.

Still has no ideas?

16.04.16 22:50, Yuri Voinov пишет:
>
> 3.5.16 on *NIX is also has this issue.
>
> Only 3.5.16 Win64 is works like sharm.
>
> 16.04.16 17:18, Yuri Voinov пишет:
> > mozilla.org now has the same issue on Squid 4 like CloudFlare:
>
> > https://i1.someimage.com/P03GmSY.png
>
> > All ok but handshake does not complete:
>
> > root @ cthulhu / # /usr/local/bin/openssl s_client -connect
> mozilla.org:443 -CApath /etc/ope/csw/ssl/certs
> > CONNECTED(00000003)
> > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> High Assurance EV Root CA
> > verify return:1
> > depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> High Assurance EV CA-1
> > verify return:1
> > depth=0 businessCategory = Private Organization,
> 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = California,
> serialNumber = C2543436, street = 650 Castro St Ste 300, postalCode =
> 94041, C = US, ST = California, L = Mountain View, O = Mozilla
> Foundation, CN = www.mozilla.org
> > verify return:1
> > ---
> > Certificate chain
> >  0 s:/businessCategory=Private
>
Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650
> Castro St Ste 300/postalCode=94041/C=US/ST=California/L=Mountain
> View/O=Mozilla Foundation/CN=www.mozilla.org
> >    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
> Assurance EV CA-1
> >  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
> Assurance EV CA-1
> >    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
> Assurance EV Root CA
> > ---
> > Server certificate
> > -----BEGIN CERTIFICATE-----
> > MIIHWTCCBkGgAwIBAgIQBQ5gs8e9nTbV62rD+8G95jANBgkqhkiG9w0BAQUFADBp
> > MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
> > d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j
> > ZSBFViBDQS0xMB4XDTE1MTEyNDAwMDAwMFoXDTE2MTIyOTEyMDAwMFowggEFMR0w
> > GwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJV
> > UzEbMBkGCysGAQQBgjc8AgECEwpDYWxpZm9ybmlhMREwDwYDVQQFEwhDMjU0MzQz
> > NjEeMBwGA1UECRMVNjUwIENhc3RybyBTdCBTdGUgMzAwMQ4wDAYDVQQREwU5NDA0
> > MTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v
> > dW50YWluIFZpZXcxGzAZBgNVBAoTEk1vemlsbGEgRm91bmRhdGlvbjEYMBYGA1UE
> > AxMPd3d3Lm1vemlsbGEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
> > AQEAuHHB4NGHII28Vm4WrSFjZN5YM0bEBuVbPcwbwBAEinRe9Iwwwye359vVs24o
> > 5YRnSkjkJYfrXHEb8f836GXBotN1xcxsrOi7brTJcA4qeE5ntby6V6wdlxKEy5mt
> > 2Fd9P7wl9v1UlXmHyFxpF9UlDDoSuiDGUO+Q0U9lipKOrKoA3Q1Uzp/ntwrZL01B
> > V4AUgTQf6b1HLu3ZD8CUG9xrq4Isi4OIMaJQX+kVwrQqxLe3Ahmjq9uP2iXAiLf7
> > aVluTyFgfAfvv1/pf0193zgQoe0oGDReh5/QrbO6j+XtV2sHDnDen+mQO2/GNwET
> > fQPCIKIroGf4JUnftt7Cwz1KmQIDAQABo4IDXTCCA1kwHwYDVR0jBBgwFoAUTFjL
> > JfBBT1L0KMiBQ5umqKDmkuUwHQYDVR0OBBYEFIPU1A81pLqLvmE3YsGWDTbHxzc5
> > MCcGA1UdEQQgMB6CD3d3dy5tb3ppbGxhLm9yZ4ILbW96aWxsYS5vcmcwDgYDVR0P
> > AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBjBgNVHR8E
> > XDBaMCugKaAnhiVodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vZXZjYTEtZzUuY3Js
> > MCugKaAnhiVodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vZXZjYTEtZzUuY3JsMEsG
> > A1UdIAREMEIwNwYJYIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
> > LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQEwfQYIKwYBBQUHAQEEcTBvMCQGCCsG
> > AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRwYIKwYBBQUHMAKGO2h0
> > dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VF
> > VkNBLTEuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoB
> > aAB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABUTfFoGwAAAQD
> > AEcwRQIgPZSqJS9xxOfr4sFkB73ocAWRnHK4/fgEkIvVubEtLwkCIQDIXB59Y1A4
> > SgdJPmwIeRXjshq7jkmz7mgc0Nap53UG2AB2AGj2mPgfZIK+OozuuSgdTPxxUV1n
> > k9RE0QpnrLtPT/vEAAABUTfFoJ0AAAQDAEcwRQIgUGvntxlKFSY7iveb6BCCdGhs
> > 28DU5EF1TcFH4DHAnX0CIQDstuSiKY0gs3YJ6x4S+GOxuK7V/8zEhNF7vEYADCPX
> > 6QB2AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABUTfFoVUAAAQD
> > AEcwRQIhAInj1bkZoUGmg39jrIN0z9tAmjPPc39UW3X/xP49q3C1AiBLG+iv0BKe
> > sbUPcoFF6DYlr+rp7fbplMYNT60UnVAlrTANBgkqhkiG9w0BAQUFAAOCAQEAvc7m
> > sTP08cANcDPsPyEKXAvv9CW1ugYLUK4XC/JylqCiluDYbgazfjRTraTbDNlmXk+Y
> > SEVBFGJX005hIhn/qztA/+p2XEcnMJWy1cyCflxdQKWn51XGhN1jlTAa31Ps7WI/
> > YPAL2taqn5EBDtUFT5790/ve09Fnyhh6elnXuy9ujJRCuVn+oXTtKlhVrIjEjzZ9
> > zFyyv3SaTWX9xb9MBfOPaO6cGihHjhAo4mj3X6fJsvEnNGqs/NJXCpwiprjbidjL
> > yeKPUhN2/hSSDAmzFd4X+B1Xx7cUXWkJHQrfosFSoiRDYmX/JnAgr0ObibjKuWPV
> > 9Rs6HCB6QKS3grfX/w==
> > -----END CERTIFICATE-----
> > subject=/businessCategory=Private
>
Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650
> Castro St Ste 300/postalCode=94041/C=US/ST=California/L=Mountain
> View/O=Mozilla Foundation/CN=www.mozilla.org
> > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
> Assurance EV CA-1
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 4163 bytes and written 446 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> > Server public key is 2048 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > SSL-Session:
> >     Protocol  : TLSv1.2
> >     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
> >     Session-ID:
> E32E470329327A2E39ADDEB384FBB9D351103F1BBA798A47EBFFF121C5001CCA
> >     Session-ID-ctx:
> >     Master-Key:
>
D2C6E671DB649951C999E1DF83DC038852215500C57F81E4660AFB7ED96039C76E8A384F3ED78A44BBD129C56DD6F45B
> >     Start Time: 1460805325
> >     Timeout   : 300 (sec)
> >     Verify return code: 0 (ok)
> > ---
>
> > access.log also got NONE/503:
>
> > 1460805179.734      0 192.168.100.103 NONE/503 3944 GET
> https://www.mozilla.org/favicon.ico - HIER_NONE/- text/html
>
> > and cache.log:
>
> > 2016/04/16 17:12:59 kid1| Error negotiating SSL on FD 56:
> error:00000000:lib(0):func(0):reason(0) (5/0/0)
>
> > 15.04.16 15:17, Amos Jeffries пишет:
> >> On 15/04/2016 6:31 a.m., Yuri Voinov wrote:
> >>> Ok, nobody.
> >>>
> >>> Well.
> >>>
> >>> I've done my own research.
> >>>
> >>> My suggestions:
> >>>
> >>> CloudFlare now uses it's own custom OpenSSL 1.0.2 with very custom
> >>> patches with CHACHA Poly support.
> >>>
> >>> This patches is not in upstream. Moreover, OpenSSL team no plans
in the
> >>> foreseeable future to support the latest ciphers.
> >>>
> >>> So, Squid 4 can't handshake TLS with CF right now. Possible it is
Squid
> >>> 4.x branch bug. Because of 3.5.x does CF handshake.
> >>>
> >>> LibreSSL does CHACHA right now.
> >>>
> >>> The question is:
> >>>
> >>> Amos, does Squid can support LibreSSL and, if no, when you plan to
> support?
> >> Yes Squid does support LibreSSL. You can build against it with the
> >> --with-openssl configure option, maybe using a =path parameter to
ensure
> >> it dont find an OpenSSL install.
> >>
> >> The difference between LibreSSL and OpenSSL is likely to be more
visible
> >> in the squid.conf settings that it will accept and those that it
> >> rejects. They are still basically the same but I know that the LibreSSL
> >> guys are being very proactive removing old things like SSLv2
support. So
> >> those config options wont work even when Squid-3.5 normally would
> >> accepts them with OpenSSL.
> >>
> >> Amos
> >> _______________________________________________
> >> squid-users mailing list
> >> squid-users at lists.squid-cache.org
> >> http://lists.squid-cache.org/listinfo/squid-users
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXEm6DAAoJENNXIZxhPexGcRgIAKsvCRwsmEyeIKeFy6RN+Bui
DKzfFn5iOLb9IZeG+dBAyDKVXeOey5IHqP+ACwQIjvxdh2NPNVbVvryqZohjCf6n
mMF5RPrSrpi6pxiN3ptC5HDlWrI3DmQ1nqhMm/gvO0Iw2WYNLyQlxD7SD03f43IX
uKJdW+Q2REO5ulSG70mY3WT+D+02tR3WHVXxhs6na+xts+y7Yw9cO8NNxuhk+fqK
LfWc1LWevwmBLEsXSiosfQxwRmpRA2e83jRbg/MbmqUjJHA3Gpbw2q3n3Wfh7cJJ
QgYAuzpAk/fLHeKQ2sWwUKP+eD+4Lt7SrWL/8jWEYZ4npO6jOzh+u2F5XZlPSzA=
=/UXE
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160416/742dfb3a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160416/742dfb3a/attachment.key>


More information about the squid-users mailing list