Search squid archive

Squid 3.5 Forward Secrecy on https_port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am trying to see if I have found another Squid 3.5.x issue with FreeBSD 10, or if I just have something set wrong on my https_port settings.

The server I am testing with is currently running FreeBSD 10.2-RC3, with Squid 3.5.7, and LibreSSL 2.2.2. The Apache 2.4.16 server behind squid is using the same cipher list settings, and the same LibreSSL 2.2.2 library, and the same certificate file.

Here is the squid https_port line.

https_port 443 accel defaultsite=www.dweimer.net \
 cert=/common/GoDaddy.Cert/dweimer.net.gd.bundle.crt \
 key=/common/GoDaddy.Cert/dweimer.net.key \
 options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
 dhparams=dh.params \
 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4 \
 vhost

Apache SSL Configuration
SSLHonorCipherOrder On
SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!RC4
SSLCertificateFile "/common/GoDaddy.Cert/dweimer.net.gd.bundle.crt"
SSLCertificateKeyFile "/common/GoDaddy.Cert/dweimer.net.key"

Apache test:
openssl s_client -tlsv1_2 -connect 192.168.5.2:443
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
...

Squid test:
openssl s_client -tlsv1_2 -connect 192.168.5.2:443
...
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
...

Squid Test with cipher from Apache specified:
openssl s_client -tls1_2 -cipher ECDHE-RSA-CHACHA20-POLY1305 -connect 192.168.5.3:443
CONNECTED(00000003)
34381405160:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1133:SSL alert number 40 34381405160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:522:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
...

Squid does however use this cipher when connecting to the Apache server, even though the client isn't using a forward secrecy capable cipher (TLS_RSA_WITH_AES_256_CBC_SHA TLS1.2 reported by Firefox), determined by using a script with the PHP $_SERVER predefined variable connected through the reverse proxy.
SERVER_PROTOCOL  HTTP/1.1
SERVER_SOFTWARE Apache/2.4.16 (FreeBSD) LibreSSL/2.2.2 SVN/1.8.14 PHP/5.6.11
SSL_CIPHER       ECDHE-RSA-CHACHA20-POLY1305

Does anyone see something missing in my https_port configuration that is causing it to not use the ECDHE keys?

--
Thanks,
   Dean E. Weimer
   http://www.dweimer.net/
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux