[squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?

Dieter Bloms squid.org at bloms.de
Tue Jun 11 07:33:01 UTC 2024


Hello Alex,

thank you for your answer!

On Mon, Jun 10, Alex Rousskov wrote:

> On 2024-06-10 08:10, Dieter Bloms wrote:
> 
> > I have activated ssl_bump and must activate the UNSAFE_LEGACY_RENEGOTIATION option to enable access to https://cisco.com.
> > The web server does not support secure renegotiation.
> > 
> > I have tried to set the following options, but squid does not recognize any of them:
> > 
> > tls_outgoing_options options=UNSAFE_LEGACY_RENEGOTIATION
> > 
> > or
> > 
> > tls_outgoing_options options=ALLOW_UNSAFE_LEGACY_RENEGOTIATION
> > 
> > and
> > 
> > tls_outgoing_options options=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
> > 
> > but no matter which syntax I use, I always get the message during squid-k parse:
> > 
> > “2024/06/10 14:08:17| ERROR: Unknown TLS option ALLOW_UNSAFE_LEGACY_RENEGOTIATION”
> > 
> > How can I activate secure renegotiation for squid?
> 
> To set an OpenSSL connection option that Squid does not know by name, use
> that option hex value (based on your OpenSSL sources). For example:
> 
>     # SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is defined to be
>     # SSL_OP_BIT(18) which is equal to (1 << 18) or 0x40000 in hex.
>     tls_outgoing_options options=0x40000
> 
> Disclaimer: I have not tested the above and do not know whether adding that
> option achieves what you want to achieve.

I've added that option like:
tls_outgoing_options options=0x40000 capath=/etc/ssl/certs min-version=1.2 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1
but no change.

I tried 0x4 (for SSL_OP_LEGACY_SERVER_CONNECT), but also without any change.

I use a debian bookworm container and when I use openssl s_client
without -legacy_server_connect I can't established a tls connection

--snip--
root at tarski:/# openssl s_client -connect cisco.com:443
CONNECTED(00000003)
4097F217F17F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../ssl/statem/extensions.c:893:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5177 bytes and written 322 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 869B4016868DFF23D1DAB3A33F99F9879274C1F62FD45BF9DF839B27735FC72C
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1718090662
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
root at tarski:/# 
--snip--

but when I add the -legacy_server_connect option I can as shown here:

--snip--
---
root at cdxiaphttpproxy04:/# openssl s_client -legacy_server_connect -connect cisco.com:443
CONNECTED(00000003)
depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
verify return:1
depth=1 C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
verify return:1
depth=0 C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = www.cisco.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = www.cisco.com
   i:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 14 05:48:20 2023 GMT; NotAfter: Nov 13 05:47:20 2024 GMT
 1 s:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
   i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 12 16:56:15 2019 GMT; NotAfter: Dec 12 16:56:15 2029 GMT
 2 s:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
   i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 16 18:12:23 2014 GMT; NotAfter: Jan 16 18:12:23 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHkDCCBnigAwIBAgIQQAGLzF+ffeG2bq2GaN2HuTANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MS4wLAYDVQQLEyVIeWRy
YW50SUQgVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlMR8wHQYDVQQDExZIeWRy
YW50SUQgU2VydmVyIENBIE8xMB4XDTIzMTExNDA1NDgyMFoXDTI0MTExMzA1NDcy
MFowajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT
CFNhbiBKb3NlMRswGQYDVQQKExJDaXNjbyBTeXN0ZW1zIEluYy4xFjAUBgNVBAMT
DXd3dy5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5
CZi7tsogSJCAE5Zu78Z57FBC67OpK0OkIyVeixqKg57K/wqE4UF59GHHHVwOZhGv
VgsD3jjiQOhxZbUJnaen0+cMH6s1lSRZtiIi2K/Z1Oy+1Gytpw2bYZTbuWHWk1/e
VUgH8dS6PbwQp+/KAzV52Z98asWGzxWYqfJV5GUdC5V2MPDuDRfbrrl6uxVb05tN
69xfCIAR2KJtM64UJifesa7ItQBMzh1TYqPa4A15Ku6MgiuOkUddCrkZWRt1uevD
E6k47uR4wcuM/hF/eSX8wl/BaKrM3eiAc94Thom0wvKzlG0uziL4cux/O6O0na0w
o3WPfbSQltquqVPb9Z1JAgMBAAGjggQoMIIEJDAOBgNVHQ8BAf8EBAMCBaAwgYUG
CCsGAQUFBwEBBHkwdzAwBggrBgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2Nz
cC5pZGVudHJ1c3QuY29tMEMGCCsGAQUFBzAChjdodHRwOi8vdmFsaWRhdGlvbi5p
ZGVudHJ1c3QuY29tL2NlcnRzL2h5ZHJhbnRpZGNhTzEucDdjMB8GA1UdIwQYMBaA
FIm4m7ae7fuwxr0N7GdOPKOSnS35MCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwGCmCG
SAGG+S8ABgMwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL3ZhbGlkYXRpb24uaWRl
bnRydXN0LmNvbS9jcmwvaHlkcmFudGlkY2FvMS5jcmwwggE9BgNVHREEggE0MIIB
MIIJY2lzY28uY29tgg13d3cuY2lzY28uY29tgg53d3cxLmNpc2NvLmNvbYIOd3d3
Mi5jaXNjby5jb22CDnd3dzMuY2lzY28uY29tghB3d3ctMDEuY2lzY28uY29tghB3
d3ctMDIuY2lzY28uY29tghF3d3ctcnRwLmNpc2NvLmNvbYISd3d3MS1zczIuY2lz
Y28uY29tghJ3d3cyLXNzMS5jaXNjby5jb22CEnd3dzMtc3MxLmNpc2NvLmNvbYIS
d3d3My1zczIuY2lzY28uY29tghR3d3cuc3RhdGljLWNpc2NvLmNvbYIVcmVkaXJl
Y3QtbnMuY2lzY28uY29tghZjaXNjby1pbWFnZXMuY2lzY28uY29tghh3d3cubWVk
aWFmaWxlcy1jaXNjby5jb20wHQYDVR0OBBYEFJXbJPCc5ySIPskL3ul5pwsnzqOn
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAX0GCisGAQQB1nkCBAIE
ggFtBIIBaQFnAHYAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQAAAGL
zF+ivwAABAMARzBFAiAV2h1n5lmpF6LmJiUBK23xPvFstpP2e1rgvrgk3/JsmwIh
AMWUWbEUlsvuBOZU4/Zj/319+wLUe00a3oB4TrmGl8dYAHUA7s3QZNXbGs7FXLed
tM0TojKHRny87N7DUUhZRnEftZsAAAGLzF+gvgAABAMARjBEAiAOO0eyzuDUszNb
crQzu64SP6Rb5MK2cma9K0v+TB4xtwIgQZPKexvzy13yOg7Imn9F2d8turRwP/KI
DgAaezKY8AUAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYvM
X6BZAAAEAwBHMEUCIQCLGuUmgXM4zWGFphL39D0xVwxW9YfN3M0QHuGkh+XcDgIg
duaXqsoaucNUg8Y7iXgB8941hMMVyayYk7qOSBXO50UwDQYJKoZIhvcNAQELBQAD
ggEBAMn5Jz/4Zo9Z2eduV86z+cQ2GLqe00HdV+Nu2g8z3Yg8my8TioRaNbYBj3XB
Ng+sqQ4kAAp7AGcFDFQDBh8tokdH/d9/W+K+rPED3DTADMg/xqKpwdYNjnjOIfjq
RdcPfvvCfpz6FFG67iCfvKGUJtRxCCwxZwOrH+yo5i92dZIVJBwGPT3rUACzswWR
erVDViWgeHdU8BK9cQWAnLoYT4EOUoYgIpowEBW2QJbsjtyF6F/M+6QmIRfAiQmz
ltnSXsmjQg6gU+xnb+hWr8Z6fJQ7WTKklIkq+P0m9XkMILrt2e/mJCVXllvHt1bw
3ppvS7HIO+hyjOL0Ec815gtXQ6Q=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = www.cisco.com
issuer=C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5570 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A5AB47FDA51B5E20A65B2C8E5BEE4C03B81A954F6E10525A2D656C0C08C6C72C
    Session-ID-ctx: 
    Master-Key: BB59B80C43F03ABCF1B35A62DCCB15061954F9FF19AAB08907E661F20E9104EA9DF6C4AACDD57245757800B6D80629C6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1718090925
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
--snip--

so I think, no matter what option I set, it will be ignored

-- 
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.


More information about the squid-users mailing list