[squid-users] Trying to verify couple tls issues
Eliezer Croitoru
ngtech1ltd at gmail.com
Mon Jan 18 17:04:36 UTC 2021
I wrote the next "helping/helper/testing scripts":
https://github.com/elico/tls-check-script/blob/master/tls-check.rb
https://github.com/elico/tls-check-script/blob/master/check-dns-san.sh
Now I am trying to verify what issues exists that causes squid to this
result:
2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46:
error:00000001:lib(0):func(0):reason(1) (1/-1)
connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ
flags=33
So the output of: bash check-dns-san.sh 161.117.96.220 443 is:
## START
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA
CA 2018
verify return:1
depth=0 CN = data.mistat.intl.xiaomi.com
verify return:1
DONE
X509v3 Subject Alternative Name:
DNS:data.mistat.intl.xiaomi.com
## END
And then I am testing with the next command: ruby tls-check.rb
161.117.96.220 443 and the output is:
## START
### Number of Ciphers to be tested: 66
### Timeout per test: 3
### Delay between tests: 1
Testing TLS_AES_256_GCM_SHA384... NO, SSL_CTX_set_cipher_list
Testing TLS_CHACHA20_POLY1305_SHA256... NO, SSL_CTX_set_cipher_list
Testing TLS_AES_128_GCM_SHA256... NO, SSL_CTX_set_cipher_list
Testing TLS_AES_128_CCM_SHA256... NO, SSL_CTX_set_cipher_list
Testing ECDHE-ECDSA-AES256-GCM-SHA384... NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES256-GCM-SHA384... CONNECTED:
ECDHE-RSA-AES256-GCM-SHA384, YES, Secure Renegotiation IS supported
Testing DHE-RSA-AES256-GCM-SHA384... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-CHACHA20-POLY1305... NO, sslv3 alert handshake failure
Testing ECDHE-RSA-CHACHA20-POLY1305... NO, sslv3 alert handshake failure
Testing DHE-RSA-CHACHA20-POLY1305... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES256-CCM8... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES256-CCM... NO, sslv3 alert handshake failure
Testing DHE-RSA-AES256-CCM8... NO, sslv3 alert handshake failure
Testing DHE-RSA-AES256-CCM... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-ARIA256-GCM-SHA384... NO, sslv3 alert handshake failure
Testing ECDHE-ARIA256-GCM-SHA384... NO, sslv3 alert handshake failure
Testing DHE-RSA-ARIA256-GCM-SHA384... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-GCM-SHA256... NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES128-GCM-SHA256... CONNECTED:
ECDHE-RSA-AES128-GCM-SHA256, YES, Secure Renegotiation IS supported
Testing DHE-RSA-AES128-GCM-SHA256... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-CCM8... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-CCM... NO, sslv3 alert handshake failure
Testing DHE-RSA-AES128-CCM8... NO, sslv3 alert handshake failure
Testing DHE-RSA-AES128-CCM... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-ARIA128-GCM-SHA256... NO, sslv3 alert handshake failure
Testing ECDHE-ARIA128-GCM-SHA256... NO, sslv3 alert handshake failure
Testing DHE-RSA-ARIA128-GCM-SHA256... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES256-SHA384... NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES256-SHA384... CONNECTED: ECDHE-RSA-AES256-SHA384, YES,
Secure Renegotiation IS supported
Testing DHE-RSA-AES256-SHA256... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-CAMELLIA256-SHA384... NO, sslv3 alert handshake failure
Testing ECDHE-RSA-CAMELLIA256-SHA384... NO, sslv3 alert handshake failure
Testing DHE-RSA-CAMELLIA256-SHA256... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-SHA256... NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES128-SHA256... CONNECTED: ECDHE-RSA-AES128-SHA256, YES,
Secure Renegotiation IS supported
Testing DHE-RSA-AES128-SHA256... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-CAMELLIA128-SHA256... NO, sslv3 alert handshake failure
Testing ECDHE-RSA-CAMELLIA128-SHA256... NO, sslv3 alert handshake failure
Testing DHE-RSA-CAMELLIA128-SHA256... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES256-SHA... NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES256-SHA... CONNECTED: ECDHE-RSA-AES256-SHA, YES,
Secure Renegotiation IS supported
Testing DHE-RSA-AES256-SHA... NO, sslv3 alert handshake failure
Testing DHE-RSA-CAMELLIA256-SHA... NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-SHA... NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES128-SHA... CONNECTED: ECDHE-RSA-AES128-SHA, YES,
Secure Renegotiation IS supported
Testing DHE-RSA-AES128-SHA... NO, sslv3 alert handshake failure
Testing DHE-RSA-CAMELLIA128-SHA... NO, sslv3 alert handshake failure
Testing AES256-GCM-SHA384... CONNECTED: AES256-GCM-SHA384, YES, Secure
Renegotiation IS supported
Testing AES256-CCM8... NO, sslv3 alert handshake failure
Testing AES256-CCM... NO, sslv3 alert handshake failure
Testing ARIA256-GCM-SHA384... NO, sslv3 alert handshake failure
Testing AES128-GCM-SHA256... CONNECTED: AES128-GCM-SHA256, YES, Secure
Renegotiation IS supported
Testing AES128-CCM8... NO, sslv3 alert handshake failure
Testing AES128-CCM... NO, sslv3 alert handshake failure
Testing ARIA128-GCM-SHA256... NO, sslv3 alert handshake failure
Testing AES256-SHA256... CONNECTED: AES256-SHA256, YES, Secure
Renegotiation IS supported
Testing CAMELLIA256-SHA256... NO, sslv3 alert handshake failure
Testing AES128-SHA256... CONNECTED: AES128-SHA256, YES, Secure
Renegotiation IS supported
Testing CAMELLIA128-SHA256... NO, sslv3 alert handshake failure
Testing AES256-SHA... CONNECTED: AES256-SHA, YES, Secure Renegotiation IS
supported
Testing CAMELLIA256-SHA... NO, sslv3 alert handshake failure
Testing AES128-SHA... CONNECTED: AES128-SHA, YES, Secure Renegotiation IS
supported
Testing CAMELLIA128-SHA... NO, sslv3 alert handshake failure
Testing DHE-RSA-SEED-SHA... NO, sslv3 alert handshake failure
Testing SEED-SHA... NO, sslv3 alert handshake failure
Testing IDEA-CBC-SHA... NO, ssl_cipher_process_rulestr
## END
I assume that the above results might give a clue why mentioned error line:
2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46:
error:00000001:lib(0):func(0):reason(1) (1/-1)
connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ
flags=33
happens. However I am not sure.
Are there any config that might affect this negotiation in squid?
Thanks,
Eliezer
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon
More information about the squid-users
mailing list