[squid-users] LEGACY_SERVER_CONNECT, ALLOW_UNSAFE_LEGACY_RENEGOTIATION does not work - SSL bump, OpenSSL 3

Alex Rousskov rousskov at measurement-factory.com
Mon Dec 26 16:01:49 UTC 2022 

On 12/26/22 00:46, Amish wrote:

> I am using squid v5.7 with OpenSSL 3.0.7. (Arch Linux)

> squid.conf:
> 
> # workaround for legacy / unpatched servers
> tls_outgoing_options 
> options=LEGACY_SERVER_CONNECT,ALLOW_UNSAFE_LEGACY_RENEGOTIATION

There are two problems here:

1. Squid v5.7 hides important configuration errors. That problem was 
fixed in master/v6 commit 61be1d8, but that fix has not been backported 
to v5. If it were, you would have seen errors like this:

     ERROR: Unknown TLS option LEGACY_SERVER_CONNECT
     ERROR: Unknown TLS option ALLOW_UNSAFE_LEGACY_RENEGOTIATION

You can still see those level-1 errors on stderr if you start Squid v5.7 
with "-X", but they will be drowned in a sea of debugging records. Save 
stderr output into a file and search it for ERROR.

I recommend lobbying for making the above configuration errors fatal in 
Squid v6. I would be happy to post the corresponding code changes if 
others agree that they should be fatal.


2. As the above errors imply, you are using options that Squid does not 
understand. Squid cannot pass named options that it does not understand 
to OpenSSL because Squid does not know their numerical values (OpenSSL 
API requires a numeric value to enable an option). However, you can use 
a dangerous workaround: You can specify their raw numeric values (in 
hex). You may use the table at [1] to get those values[2]:

     tls_outgoing_options options=0x4,0x40000

Disclaimer: I have not tested whether the above configuration matches 
your intent. I only know that Squid v5 does not generate an ERROR for it.


[1] https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags

[2] The table provides numerical values for OpenSSL v1 options. For 
OpenSSL v3, the table provides a SSL_OP_BIT(n) formula: 2 to the power 
of n. For example, SSL_OP_BIT(2) is, in hex notation, 0x4.
     #define SSL_OP_BIT(n)  ((uint64_t)1 << (uint64_t)n)


HTH,

Alex.


> # other related TLS related settings
> tls_outgoing_options cafile=/etc/ssl/cert.pem
> 
> tls_outgoing_options 
> cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
> 
> # systemctl reload squid
> 
> But I am still getting the same error when trying to connect to the 
> above site via squid proxy. (Works fine without proxy)
> 
> What am I doing wrong?
> 
> Tips / help appreciated,
> 
> Thank you,
> 
> Amish.
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list