[squid-users] Fwd: Squid ssl bumping. Ssl bumping not working on sites with ssl GOST cypher certificate
Amos Jeffries
squid3 at treenet.co.nz
Wed Sep 21 17:55:34 UTC 2016
On 22/09/2016 1:41 a.m., Сергин Александр wrote:
> Hi, can you please explain me, does squid support ssl bumping with site
> signed with GOST certificate?
>
The crypto details in squid.conf are almost always passed directly to
the crypto library. So Squid supports what the library does. I don't
know enough about the GOST ciphers to know if there is anything unusual
needed from Squid.
> I have OpenSSL 1.0.2d 9 Jul 2015
>
> openssl engine
> (dynamic) Dynamic engine loading support
> *(gost) Reference implementation of GOST engine*
>
That would indicate the answer is yes, unless something unusual is needed.
>
> *openssl ciphers | grep GOST*
>
> *GOST2001-GOST89-GOST89:GOST94-GOST89-GOST89*
>
> /opt/squid/sbin/squid -v
> Squid Cache: Version 3.5.19
> Service Name: squid
> configure options: 'CFLAGS=-march=i686 -g -O2' 'CXXFLAGS=-march=i686 -g
> -O2' '--prefix=/opt/squid-3.5.19-4' '--enable-async-io=32'
> '--enable-storeio=ufs,aufs,rock,diskd' '--enable-disk-io'
> '--enable-removal-policies=heap,lru' '--enable-useragent-log'
> '--enable-referer-log' '--enable-arp-acl' '--with-openssl'
> '--enable-forw-via-db' '--enable-cache-digests' '--enable-linux-netfilter'
> '--enable-basic-auth=all' '--enable-ntlm-auth=all'
> '--enable-ntlm-fail-open' '--enable-negotiate-auth=all'
> '--enable-external-acl-helpers' '--with-filedescriptors=32768'
> '--with-large-files' '--enable-delay-pools' '--enable-ssl-crtd'
> '--disable-static' '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid.pid'
> '--with-swapdir=/var/data/squid/cache' '--disable-arch-native'
>
> SSL bumping with dynamic certificates working well but when I try to go to
> site with GOST certificate,
> I see error -
>
> The system returned:
>
> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>
> Handshake with SSL server failed: error:0609E09C:digital envelope
> routines:PKEY_SET_TYPE:unsupported algorithm
>
>
> Please explain me this Error please
>
The error is produced by OpenSSL. It means one endpoint of the
Squid<->server connection has a crypto library that does not support one
of the cipher algorithms the other endpoint is requiring.
This is different from simply not being able to agree on a matching set
of ciphers to use. One of the ciphers is actively non-supported for the
use to which it is being attempted.
It could be the cipher (server not supporting GOST?), a checksum hash
(RC4, DES, SHA1 are frequently forbidden these days), or something else.
NP: That is the limit of what I know about this error sorry. Good luck
finding a fix.
Amos
More information about the squid-users
mailing list