[squid-users] Squid 4: Cloudflare SSL connection problem
Yuri Voinov
yvoinov at gmail.com
Sun Apr 17 10:50:57 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
*NIX means UNIX. Solaris is AT&T UNIX. Linux is not UNIX (C) Linus
Torvalds. :) We are not speaking about all possible OS'es. I suggests
the matter in SSL/TLS, not OS or hands or something similar.
The problem is in CF, I think. As a maximum in peek-n-splice.
Because of I've not changed my squid.conf over last year, but approx. in
january 2016 CloudFlare stopped work via proxy, as said my field SA.
AFAIK, CF change own security settings. Also, I suggests, mozilla .org
also moved behind CF.
Ok, let's talk about squid.conf. SSL-related rows are here:
# SSL bump rules
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i
"/usr/local/squid/etc/url.nobump"
acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/squid/etc/url.tor"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
key=/usr/local/squid/etc/rootCA.key
options=SINGLE_DH_USE,SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
key=/usr/local/squid/etc/rootCA.key
options=SINGLE_DH_USE,SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt
options=SINGLE_DH_USE,SINGLE_ECDH_USE
cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_foreign_intermediate_certs /usr/local/squid/etc/intermediate_ca.pem
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
I see no anomalies in this lines. Ciphersuite is very relaxed.
Also, if we discuss a bug - may be better to turn on debug to know, why
4.x got first NONE_ABORTED/200 during CONNECT phase and then NONE/503
during TLS negotiate?
17.04.16 14:58, Eliezer Croitoru пишет:
> For me it works.
> ...
> The first thing to do is publish the squid.conf with a bug report and
all other related info.
> *NIX doesn't mean CentOS since on CentOS this specific issue doesn't exit.
> I assume that if it works on CentOS it will work almost the same for
Ubuntu and Debian.
>
> Eliezer
>
> On 16/04/2016 19:50, Yuri Voinov wrote:
>> 3.5.16 on *NIX is also has this issue.
>>
>> Only 3.5.16 Win64 is works like sharm.
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXE2qQAAoJENNXIZxhPexGD0wH/1SkyQyaa4gHV4AhXf5RrUTM
oEyGkOcEPwYw6M4+uYgvZ1FzvjrQhS6G8RTH/XrpSZ1utt9nbNSHP+W6FnXyxNPN
J/bauCQeADWf/NUGLG8GnOMXA9LD7w20ylAwOeLe1MUQJ4DTDT4arwzExkx0kohk
4mQNqq1Q105lgh0xyUQWF/wt0Uy3hSs2pPjyK4CGPWCbRO2kmYpPANT0ejoglfsF
uWNYBN5gl4hCd9kVzo0oaVwY2sNUftc1MyYztBpYUQ9WSoHoTnlvAWcWEF7FqHV6
TIB77Pr2fURIkEIlyLIQJ7weXkueOLI8VJp3EYLX5arDDLwu4tfXKpItHx5Tjd8=
=eQPH
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160417/d5433e63/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160417/d5433e63/attachment-0001.key>
More information about the squid-users
mailing list