[squid-users] Squid4 with ssl-bump single_dh_use unknown
Peter Viskup
skupko.sk at gmail.com
Mon Feb 19 08:40:06 UTC 2018
Amos answered in another post [1]
[1]
http://lists.squid-cache.org/pipermail/squid-users/2018-February/017640.html
More information:
https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags#SSL_OP_SINGLE_DH_USE
As of 1.0.2f single-DH key use is always on, and this option does nothing,
and is retained for compatibility.
On Wed, Feb 14, 2018 at 2:31 PM, Peter Viskup <skupko.sk at gmail.com> wrote:
> Crypto part of the configure log:
>
> checking for nettle_md5_init in -lnettle... yes
> checking nettle/md5.h usability... yes
> checking nettle/md5.h presence... yes
> checking for nettle/md5.h... yes
> checking nettle/base64.h usability... yes
> checking nettle/base64.h presence... yes
> checking for nettle/base64.h... yes
> checking for Nettle 3.4 API compatibility... no
> configure: Using Nettle cryptographic library: yes
> checking for crypt in -lcrypt... yes
> checking for MD5Init in -lmd5... no
> checking for LIBGNUTLS... yes
> checking gnutls/gnutls.h usability... yes
> checking gnutls/gnutls.h presence... yes
> checking for gnutls/gnutls.h... yes
> checking gnutls/x509.h usability... yes
> checking gnutls/x509.h presence... yes
> checking for gnutls/x509.h... yes
> configure: GnuTLS library support: auto -lgnutls
> checking openssl/bio.h usability... yes
> checking openssl/bio.h presence... yes
> checking for openssl/bio.h... yes
> checking openssl/crypto.h usability... yes
> checking openssl/crypto.h presence... yes
> checking for openssl/crypto.h... yes
> checking openssl/err.h usability... yes
> checking openssl/err.h presence... yes
> checking for openssl/err.h... yes
> checking openssl/md5.h usability... yes
> checking openssl/md5.h presence... yes
> checking for openssl/md5.h... yes
> checking openssl/opensslv.h usability... yes
> checking openssl/opensslv.h presence... yes
> checking for openssl/opensslv.h... yes
> checking openssl/ssl.h usability... yes
> checking openssl/ssl.h presence... yes
> checking for openssl/ssl.h... yes
> checking openssl/x509v3.h usability... yes
> checking openssl/x509v3.h presence... yes
> checking for openssl/x509v3.h... yes
> checking openssl/engine.h usability... yes
> checking openssl/engine.h presence... yes
> checking for openssl/engine.h... yes
> checking openssl/txt_db.h usability... yes
> checking openssl/txt_db.h presence... yes
> checking for openssl/txt_db.h... yes
> checking for LIBOPENSSL... yes
> checking for EVP_PKEY_get0_RSA in -lcrypto... yes
> checking for BIO_meth_new in -lcrypto... yes
> checking for BIO_get_init in -lcrypto... yes
> checking for ASN1_STRING_get0_data in -lcrypto... yes
> checking for X509_STORE_CTX_get0_cert in -lcrypto... yes
> checking for X509_VERIFY_PARAM_get_depth in -lcrypto... yes
> checking for X509_STORE_CTX_get0_untrusted in -lcrypto... yes
> checking for X509_STORE_CTX_set0_untrusted in -lcrypto... yes
> checking for X509_up_ref in -lcrypto... yes
> checking for X509_CRL_up_ref in -lcrypto... yes
> checking for DH_up_ref in -lcrypto... yes
> checking for X509_get0_signature in -lcrypto... yes
> checking for SSL_CIPHER_find in -lssl... yes
> checking for SSL_CTX_set_tmp_rsa_callback in -lssl... no
> checking for SSL_SESSION_get_id in -lssl... yes
> checking for TLS_method in -lssl... yes
> checking for TLS_client_method in -lssl... yes
> checking for TLS_server_method in -lssl... yes
> checking for SSL_CTX_get0_certificate in -lssl... yes
> checking whether SSL_CTX_new and similar openSSL API functions require
> 'const SSL_METHOD *'"... yes
> checking whether SSL_get_new_ex_index() dup callback accepts 'const
> CRYPTO_EX_DATA *'"... yes
> checking whether SSL_CTX_sess_set_get_cb() callback accepts a const ID
> argument"... yes
> checking "whether X509_get0_signature() accepts const parameters"... yes
> checking whether the TXT_DB use OPENSSL_PSTRING data member... yes
> checking whether the squid workaround for buggy versions of
> sk_OPENSSL_PSTRING_value should used... no
> checking whether the workaround for OpenSSL IMPLEMENT_LHASH_ macros
> should used... yes
> checking whether hello message can be overwritten in SSL struct... no
> configure: OpenSSL library support: yes -lssl -lcrypto
>
>
> On Wed, Feb 14, 2018 at 2:02 PM, Peter Viskup <skupko.sk at gmail.com> wrote:
> > Build of squid 4.0.23 on current Debian 9 report the single_dh_use as
> not known.
> > Older build of squid 3.5.21 on Debian 8 doesn't report it.
> > According the documentation [1] it should be known and supported.
> >
> > [1] http://www.squid-cache.org/Doc/config/http_port/
> >
> > Is it a bug?
> >
> > Peter
> >
> > $ /usr/sbin/squid -v
> > Squid Cache: Version 4.0.23
> > Service Name: squid
> > Squid built with SSLBump
> >
> > This binary uses OpenSSL 1.1.0f 25 May 2017. For legal restrictions
> > on distribution see https://www.openssl.org/source/license.html
> >
> > configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
> > '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> > '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
> > '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.'
> > '--disable-maintainer-mode' '--disable-dependency-tracking'
> > '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2
> > -fdebug-prefix-map=/build/squid-4.0.23=. -fstack-protector-strong
> > -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
> > -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--enable-build-info=Debian
> > linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
> > '--libexecdir=/usr/lib/squid' '--runstatedir=/var/run/squid'
> > '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'
> > '--disable-loadable-modules' '--enable-storeio=aufs,rock'
> > '--enable-removal-policies=lru,heap' '--enable-delay-pools'
> > '--enable-cache-digests' '--enable-icap-client'
> > '--enable-follow-x-forwarded-for' '--enable-auth'
> > '--enable-external-acl-helpers=file_userip,session,
> SQL_session,time_quota,unix_group'
> > '--enable-security-cert-validators=fake'
> > '--enable-storeid-rewrite-helpers=file'
> > '--enable-url-rewrite-helpers=fake' '--enable-eui' '--disable-esi'
> > '--enable-icmp' '--enable-zph-qos' '--disable-ecap'
> > '--disable-translation' '--disable-ident-lookups'
> > '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
> > '--with-pidfile=/var/run/squid/squid.pid'
> > '--with-filedescriptors=65536' '--with-large-files'
> > '--with-default-user=proxy' '--enable-security-cert-generators=file'
> > '--enable-ssl-crtd' '--with-openssl' '--without-mit-krb5'
> > '--without-heimdal-krb5' '--disable-wccp' '--disable-wccpv2'
> > '--disable-ipv6' '--enable-build-info=Squid built with SSLBump'
> > '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g
> > -O2 -fdebug-prefix-map=/build/squid-4.0.23=. -fstack-protector-strong
> > -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro
> > -Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
> > 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.0.23=.
> > -fstack-protector-strong -Wformat -Werror=format-security'
> >
> > $ /usr/sbin/squid -k parse -d 9 -n test
> > 2018/02/14 13:33:41| Startup: Initializing Authentication Schemes ...
> > 2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'basic'
> > 2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'digest'
> > 2018/02/14 13:33:41| Startup: Initialized Authentication Scheme
> 'negotiate'
> > 2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'ntlm'
> > 2018/02/14 13:33:41| Startup: Initialized Authentication.
> > 2018/02/14 13:33:41| WARNING: BCP 177 violation. IPv6 transport forced
> > OFF by build parameters.
> > 2018/02/14 13:33:41| Processing Configuration File:
> > /etc/squid/squid.conf (depth 0)
> > 2018/02/14 13:33:41| Processing: acl localnet src 10.0.0.0/8
> > # RFC 1918 local private network (LAN)
> > 2018/02/14 13:33:41| Processing: acl SSL_ports port 443 990
> > 2018/02/14 13:33:41| Processing: acl Safe_ports port 80 # http
> > 2018/02/14 13:33:41| Processing: acl Safe_ports port 21 # ftp
> > 2018/02/14 13:33:41| Processing: acl Safe_ports port 443
> # https
> > 2018/02/14 13:33:41| Processing: acl Safe_ports port 70 # gopher
> > 2018/02/14 13:33:41| Processing: acl Safe_ports port 210
> # wais
> > 2018/02/14 13:33:41| Processing: acl Safe_ports port 1025-65535 #
> > unregistered ports
> > 2018/02/14 13:33:41| Processing: acl Safe_ports port 280
> > # http-mgmt
> > 2018/02/14 13:33:41| Processing: acl Safe_ports port 488
> > # gss-http
> > 2018/02/14 13:33:41| Processing: acl Safe_ports port 591
> > # filemaker
> > 2018/02/14 13:33:41| Processing: acl Safe_ports port 777
> > # multiling http
> > 2018/02/14 13:33:41| Processing: acl Safe_ports port 990
> # ftps
> > 2018/02/14 13:33:41| Processing: acl CONNECT method CONNECT
> > 2018/02/14 13:33:41| Processing: acl purge method PURGE
> > 2018/02/14 13:33:41| Processing: http_access deny !Safe_ports
> > 2018/02/14 13:33:41| Processing: http_access deny CONNECT !SSL_ports
> > 2018/02/14 13:33:41| Processing: http_access allow localhost manager
> > 2018/02/14 13:33:41| Processing: http_access deny manager
> > 2018/02/14 13:33:41| Processing: http_access allow localhost purge
> > 2018/02/14 13:33:41| Processing: http_access deny purge
> > 2018/02/14 13:33:41| Processing: http_access allow localhost
> > 2018/02/14 13:33:41| Processing: http_access deny all
> > 2018/02/14 13:33:41| Processing: include /etc/squid/conf.d/test-http_
> port.conf
> > 2018/02/14 13:33:41| Processing Configuration File:
> > /etc/squid/conf.d/test-http_port.conf (depth 1)
> > 2018/02/14 13:33:41| Processing: http_port 8080 ssl-bump name=test
> > options=NO_SSLv3 cert=/etc/squid/cert/serverproxyCA.pem
> > generate-host-certificates=on tls-default-ca=off
> > options=SINGLE_DH_USE:SINGLE_ECDH_USE
> > tls-dh=/etc/squid/cert/dhparam.pem
> > sslflags=NO_SESSION_REUSE:VERIFY_CRL
> > cipher=EDH+aRSA+AESGCM:EDH+aRSA+AES:DHE-RSA-AES256-SHA:
> EECDH+aRSA+AESGCM:EECDH+aRSA+AES:ECDHE-RSA-AES256-SHA:
> ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA:DES-CBC3-
> SHA:DHE-RSA-AES128-SHA
> > 2018/02/14 13:33:41| ERROR: Unknown TLS option SINGLE_DH_USE
> > 2018/02/14 13:33:41| ERROR: Unknown TLS option SINGLE_ECDH_USE
> > .....
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180219/e2e822e4/attachment-0001.html>
More information about the squid-users
mailing list