[squid-users] LEGACY_SERVER_CONNECT, ALLOW_UNSAFE_LEGACY_RENEGOTIATION does not work - SSL bump, OpenSSL 3

Amish anon.amish at gmail.com
Mon Dec 26 06:26:45 UTC 2022


Hello,

After sending the previous (quoted below) email, I came across another 
recent thread [1] where it is mentioned by Alex that:

 > If SslBump configuration peeks at the server, then Squid cannot honor 
tls_outgoing_options.

So here is ssl_bump options too, in case that information is required:

ssl_bump peek ssl_step1 # step1 - so not peeking at the server yet
ssl_bump splice nosslbump_domains # step2 or 3, tunnel some domains we 
do not want to bump
ssl_bump stare all # step2 stare (not peek) at the server
ssl_bump bump all # step3, bump all connections that reached here

So I think in my case (previous email), squid should honor 
tls_outgoing_options.

Regards,

[1] 
http://lists.squid-cache.org/pipermail/squid-users/2022-December/025507.html

Amish

On 26/12/22 11:16, Amish wrote:
> Hello
>
> I am using squid v5.7 with OpenSSL 3.0.7. (Arch Linux)
>
> I have setup SSL bump which was working fine till OpenSSL 1.1.1 series.
>
> With OpenSSL 3.0.7, SSL bump still works fine but except some 
> (unpatched) sites.
>
> For example:
> https://www.jio.com/ (A leading mobile network provider in India)
>
> For above site, squid throws error page with this message:
>
>     [No Error] (TLS code: 
> SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=A000152+TLS_IO_ERR=1)
>     Failed to establish a secure connection: error:0A000152:SSL 
> routines::unsafe legacy renegotiation disabled
>
>
> Testing the same site with OpenSSL (via s_client) also fails unless 
> legacy renegotiation is enabled:
>
> $ openssl s_client -connect www.jio.com:443
> 40C7F204E37F0000:error:0A000152:SSL routines:final_renegotiate:unsafe 
> legacy renegotiation disabled:ssl/statem/extensions.c:893:
>
> $ openssl s_client  -legacy_renegotiation -connect www.jio.com:443
> depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", 
> CN = Go Daddy Root Certificate Authority - G2
> ...
>
>
> Since website is one of the important website, I am trying to inform 
> squid to allow legacy server connect (I also tried with unsafe 
> renegotiation)
>
> Source: https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
>
> squid.conf:
>
> # workaround for legacy / unpatched servers
> tls_outgoing_options 
> options=LEGACY_SERVER_CONNECT,ALLOW_UNSAFE_LEGACY_RENEGOTIATION
>
> # other related TLS related settings
> tls_outgoing_options cafile=/etc/ssl/cert.pem
>
> tls_outgoing_options 
> cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
>
> # systemctl reload squid
>
> But I am still getting the same error when trying to connect to the 
> above site via squid proxy. (Works fine without proxy)
>
> What am I doing wrong?
>
> Tips / help appreciated,
>
> Thank you,
>
> Amish.
>


More information about the squid-users mailing list