[squid-users] Transition from squid3.5 to squid4; ciphers don't work anymore, ERROR: Unknown TLS option SINGLE_DH_USE

Amos Jeffries squid3 at treenet.co.nz
Sat Feb 17 14:01:05 UTC 2018


On 13/02/18 02:29, chiasa.men wrote:
> Hi I tried squid4.
> 
> Squid Cache: Version 4.0.23 
> This binary uses OpenSSL 1.1.1-dev  xx XXX xxxx
> 
> Before, I used:
> Squid Cache: Version 3.5.27 
> This binary uses OpenSSL 1.0.2g  1 Mar 2016
> 
> Some of the config directives changed:
> E.g.
> sslproxy_options SINGLE_DH_USE,SINGLE_ECDH_USE
> ->
> tls_tls_outgoing_options options=SINGLE_DH_USE,SINGLE_ECDH_USE 
> 
> But that results in version 4 in the follwing errors (cache.log)
> ERROR: Unknown TLS option SINGLE_DH_USE
> ERROR: Unknown TLS option SINGLE_ECDH_USE
> 
> (same error with the same options in https_proxy)
> 
> Is that a problem related to the openssl version change?

Yes. Due to CVE-2016-0701 the SSL_OP_SINGLE_DH_USE option was deprecated
in OpenSSL 1.0.2f and that option enabled by default.
That means it *should* be available in all Squid using those libraries.

... but your 1.1.1-dev library appears to have had it removed entirely.

It is not listed as removed officially
(<https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags#SSL_OP_SINGLE_DH_USE>)
so may be related to some build option used to create the library.


> 
> 
> In cache_peer I also have now to configure tls-cafile=/etc/ssl/certs/ca-
> certificates.crt explicitly (I used some self signed certificates for testing - 
> but in Squid3 I didn't need to configure that)
> Otherwise I get: 
> (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
> In the reference it's stated that:
> 	tls-default-ca[=off]
> 			Whether to use the system Trusted CAs. Default is ON.
> Shouldn't the tls-cafile option be unnecessary since it's trusted by default?
> 

Yes, unless the CA is not in the system default CAs for some reason.

Some well-known companies are not trusted because of bad behaviour
getting them kicked out of the globally trusted CA registry. It might
also be related to other things in your library build.

Hard to say what exactly is going wrong without looking into that
particular cert chain which is hitting the error.


> 
> 
> Furthermore I set Apache (the peer) to "SSLCipherSuite  ECDHE-ECDSA-AES256-
> GCM-SHA384"
> as well as cache_peer sslcipher=ECDHE-ECDSA-AES256-GCM-SHA384
> 
> ERROR: negotiating TLS on FD 20: error:141A90B5:SSL 
> routines:ssl_cipher_list_to_bytes:no ciphers available (1/-1/0)
> 
> How can that be?
> 

Not sure. Is the handshake actually trying to negotiate that cipher
correctly? or is one endpoint deciding it cannot support it?


Amos


More information about the squid-users mailing list