Hey Yuri,
I will try to test it with couple versions of 4.0.x.
But it's weird...
The reason it's weird is since some kind of trust or understand this
test:
https://www.ssllabs.com/ssltest/analyze.html?d=www.cloudflare.com&s=198.41.214.162&latest
I am not an SSL expert in general but I can use openssl client to
test and verify things.
I have tested this scenario with openssl like this:
# openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect
www.cloudflare.com:443
CONNECTED(00000003)
139990857013152:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:744:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 119 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
And it seems that openssl does something which might be my fault but
if squid 3.5.16 works fine with it and 4.0.8 it might be connected
to the connection between openssl library to the service and squid
only displays the issue in the nice html page.
I do not know what service cloudflare uses and how it all works but
if openssl states that there is an issue with what the service is
either sending or itself analyzing then the issue is in the openssl
level rather then squid.
I am sure that both cloudflare and openssl and squid users, admins
and devs wants to resolve the issue.
Eliezer
On 12/04/2016 18:29, Yuri Voinov wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
UPDATE:
Every failed connect produce the next sequence in access.log:
1460474791.631 15444 192.168.100.103 NONE_ABORTED/200 0 CONNECT
198.41.215.162:443 - ORIGINAL_DST/198.41.215.162 -
1460474791.658 0 192.168.100.103 NONE/503 3951 GET https://www.cloudflare.com/*
- HIER_NONE/- text/html
Note: 198.41.215.162 is current cloudflare.com IP.
Also: NONE_ABORTED/200 is often occurs in access.log with another
accessible sites.
12.04.16 20:03, Yuri Voinov пишет:
>
> UPDATE:
>
> https://i1.someimage.com/b8w5dFz.png
>
> This is answer from Cloudflare support.
>
> But: 3.5.16 can deal with ECDSA TLS 1.2 but 4.0.8 not?
>
> 12.04.16 17:55, Yuri Voinov пишет:
> > Does anybody faces this problem with 4.0.8:
>
> > https://i1.someimage.com/3lD2cvV.png
>
> > ?
>
> > It accomplished this error in cache.log:
>
> > 2016/04/12 17:39:38 kid1| Error negotiating SSL on FD
54:
> error:00000000:lib(0):func(0):reason(0) (5/0/0)
>
> > and "NONE/503" in access.log.
>
> > Without proxy works like sharm. 3.5.16 with the similar
squid.conf
> works like sharm.
>
> > NB: Cloudflare support said, that they key feature for
SSL is SNI and
> ECDSA now. AFAIK, 4.0.8 is fully supports this features.
>
> > Any advice will be helpful.
>
> > Yes, I know this looks like DDoS protection on
Cloudflare. But WTF?
> Any workaround required. Half-Internet is hosted on
Cloudflare.
>
> > WBR, Yuri
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXDRRPAAoJENNXIZxhPexGmZcIAI1gcVCHUjCrDk0vI/f7omMP
ALa5XYk0VrsoOioc5cIh0DuIRN8THqkdXxtRXdKnxC8hgRfvOxN6h7NFilZhVAiT
tvgQkmKxAXXkCXik03AYU5DBoElMDcCgznksAxcckvXGCyWxN7pFwSY2p87WPHa/
5G/K5BTG1rf30OjVYIMPRtsfkHyA5xWIPNHKcbu6bCsV7H+oXh8x8oCNHdF06Q1i
s3U1kiFEudOKC1bMGVY4RJlzqDgGdANsHMSh0/v3rS4it5KBFxPsuz/DDcU1DlkO
MIEMF7FgvxORtgBZPUnxa+sF5gunZqDuv2R2aJuxJpYK2OriOC7+e40dZiw7xpQ=
=/LGq
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
|
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
