|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 My openssl test show the next Cloudflare cipher: ECDHE-ECDSA-AES128-GCM-SHA256 So, result is: root @ cthulhu /patch # openssl s_client -cipher 'ECDHE-ECDSA-AES128-GCM-SHA256' -connect www.cloudflare.com:443 CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Extended Validation Secure Server CA verify return:1 depth=0 serialNumber = 4710875, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, C = US, postalCode = 94107, ST = California, L = San Francisco, street = "655 Third Street, Suite 200", O = "CloudFlare, Inc.", OU = COMODO EV Multi-Domain SSL verify return:1 - --- Certificate chain 0 s:/serialNumber=4710875/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/C=US/postalCode=94107/ST=California/L=San Francisco/street=655 Third Street, Suite 200/O=CloudFlare, Inc./OU=COMODO EV Multi-Domain SSL i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Extended Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Extended Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root - --- Server certificate - -----BEGIN CERTIFICATE----- MIIFiTCCBS+gAwIBAgIQBmy2JcYivinKaUJSCKGtKDAKBggqhkjOPQQDAjCBkjEL MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxODA2BgNVBAMT L0NPTU9ETyBFQ0MgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB MB4XDTE1MTIwMTAwMDAwMFoXDTE2MTEzMDIzNTk1OVowggERMRAwDgYDVQQFEwc0 NzEwODc1MRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERl bGF3YXJlMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMC VVMxDjAMBgNVBBETBTk0MTA3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMSQwIgYDVQQJExs2NTUgVGhpcmQgU3RyZWV0LCBTdWl0 ZSAyMDAxGTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xIzAhBgNVBAsTGkNPTU9E TyBFViBNdWx0aS1Eb21haW4gU1NMMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE mPbUxrSaUGUh0fWajjE6zyy35uwYkOwNOKll7E0jKcJvxJLR9IC2ySQduynfb2Mo t5+rzrL5k3RWt7ZCMDsyWaOCAuMwggLfMB8GA1UdIwQYMBaAFNNOwxm6WFnRHGC3 YVNHO6d3j/iKMB0GA1UdDgQWBBT/eDUPVHJ3p6neXJv8NVND7rkLIDAOBgNVHQ8B Af8EBAMCBYAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB BQUHAwIwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBBQEwKzApBggrBgEFBQcCARYd aHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwVgYDVR0fBE8wTTBLoEmgR4ZF aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPRUNDRXh0ZW5kZWRWYWxpZGF0 aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGHBggrBgEFBQcBAQR7MHkwUQYIKwYBBQUH MAKGRWh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0VDQ0V4dGVuZGVkVmFs aWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29j c3AuY29tb2RvY2EuY29tMC0GA1UdEQQmMCSCDmNsb3VkZmxhcmUuY29tghJ3d3cu Y2xvdWRmbGFyZS5jb20wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgBo9pj4H2SC vjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVFfF/KGAAAEAwBHMEUCIQCYn9hT zH7HDl8ssKN1YWXtk09MEMbNCAgONEM33Orv6gIgH99BJXaehbgEQmEBW7372nPv x3/hqhO9svDabmNm1vIAdwBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ 3QAAAVFfF++7AAAEAwBIMEYCIQDlr9Q35uiX37IciNrb8I3lSIKAEB73zB0YMPVl TSl/yQIhAMCcle0L3Gu11iud65NFRogfrOmk9mtuW3ruf5Mt63D5MAoGCCqGSM49 BAMCA0gAMEUCIQDuxJ4FoYrW0fnaNkRajRSwqKcXb8XpV1dYklpVVGxQOgIgRA96 apf7bQLXWdoGLBJg0M7sRB1Bv9Fh+MIzLKhn5lg= - -----END CERTIFICATE----- subject=/serialNumber=4710875/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/C=US/postalCode=94107/ST=California/L=San Francisco/street=655 Third Street, Suite 200/O=CloudFlare, Inc./OU=COMODO EV Multi-Domain SSL issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Extended Validation Secure Server CA - --- No client certificate CA names sent - --- SSL handshake has read 3826 bytes and written 289 bytes - --- New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES128-GCM-SHA256 Session-ID: 46639E396A6540A888C8A9B1994C744D03810678A4F95951A5BBA293DD4BE284 Session-ID-ctx: Master-Key: 26F7F58D4913230F3F93872E2E7390C7D762CDC3E46FC5AAA300866F316ED5A283A813DAFF738457C5B8F5E1340CC156 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 64800 (seconds) TLS session ticket: 0000 - 94 71 18 10 6e 8b 7b d3-b1 a7 d9 d7 65 8f a6 ea .q..n.{.....e... 0010 - 45 fa 1b f8 c7 9b 94 a3-64 95 e7 15 c7 98 04 27 E.......d......' 0020 - 09 bf 36 7e db f3 ab 82-17 21 f4 2b 26 13 79 94 ..6~.....!.+&.y. 0030 - ce e7 30 7f c1 c2 3b 65-7e 76 28 46 d2 46 f3 8d ..0...;e~v(F.F.. 0040 - 5a 54 2f 70 71 53 7a fd-fb 44 e0 df 4c 46 96 99 ZT/pqSz..D..LF.. 0050 - e7 63 c9 93 eb 34 32 0a-b4 af 6a db c1 f0 5d 10 .c...42...j...]. 0060 - 5e c3 af 9e 16 59 32 8c-b0 fb 8e cc 9a 48 8e 6a ^....Y2......H.j 0070 - 8d ee 85 5d d3 26 9d b1-96 32 ff 78 cb 93 3a ec ...].&...2.x..:. 0080 - 9c 5c bd c5 6c 24 93 d6-ad 0a c3 4e 86 a2 e6 28 .\..l$.....N...( 0090 - 8c b1 a9 55 f0 01 6d ab-a2 44 52 b3 37 d6 9e 5a ...U..m..DR.7..Z 00a0 - 0c b8 1d 5b 6d 10 13 db-31 2b 4c 1a e4 46 36 84 ...[m...1+L..F6. Start Time: 1460486320 Timeout : 300 (sec) Verify return code: 0 (ok) - --- 13.04.16 0:19, Eliezer Croitoru пишет: > Hey Yuri, > > I will try to test it with couple versions of 4.0.x. > But it's weird... > The reason it's weird is since some kind of trust or understand this test: > https://www.ssllabs.com/ssltest/analyze.html?d=www.cloudflare.com&s=198.41.214.162&latest > > I am not an SSL expert in general but I can use openssl client to test and verify things. > I have tested this scenario with openssl like this: > # openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect www.cloudflare.com:443 > CONNECTED(00000003) > 139990857013152:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 119 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > --- > > And it seems that openssl does something which might be my fault but if squid 3.5.16 works fine with it and 4.0.8 it might be connected to the connection between openssl library to the service and squid only displays the issue in the nice html page. > I do not know what service cloudflare uses and how it all works but if openssl states that there is an issue with what the service is either sending or itself analyzing then the issue is in the openssl level rather then squid. > > I am sure that both cloudflare and openssl and squid users, admins and devs wants to resolve the issue. > > Eliezer > > On 12/04/2016 18:29, Yuri Voinov wrote: >> > UPDATE: > > Every failed connect produce the next sequence in access.log: > > 1460474791.631 15444 192.168.100.103 NONE_ABORTED/200 0 CONNECT 198.41.215.162:443 - ORIGINAL_DST/198.41.215.162 - > 1460474791.658 0 192.168.100.103 NONE/503 3951 GET https://www.cloudflare.com/* - HIER_NONE/- text/html > > Note: 198.41.215.162 is current cloudflare.com IP. > > Also: NONE_ABORTED/200 is often occurs in access.log with another accessible sites. > > 12.04.16 20:03, Yuri Voinov пишет: > > > > UPDATE: > > > > > https://i1.someimage.com/b8w5dFz.png > > > > > This is answer from Cloudflare support. > > > > > But: 3.5.16 can deal with ECDSA TLS 1.2 but 4.0.8 not? > > > > > 12.04.16 17:55, Yuri Voinov пишет: > > > > Does anybody faces this problem with 4.0.8: > > > > > > https://i1.someimage.com/3lD2cvV.png > > > > > > ? > > > > > > It accomplished this error in cache.log: > > > > > > 2016/04/12 17:39:38 kid1| Error negotiating SSL on FD > 54: > > > error:00000000:lib(0):func(0):reason(0) (5/0/0) > > > > > > and "NONE/503" in access.log. > > > > > > Without proxy works like sharm. 3.5.16 with the similar > squid.conf > > > works like sharm. > > > > > > NB: Cloudflare support said, that they key feature for > SSL is SNI and > > > ECDSA now. AFAIK, 4.0.8 is fully supports this features. > > > > > > Any advice will be helpful. > > > > > > Yes, I know this looks like DDoS protection on > Cloudflare. But WTF? > > > Any workaround required. Half-Internet is hosted on > Cloudflare. > > > > > > WBR, Yuri > > > > > >> >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXDUDWAAoJENNXIZxhPexGKC8IAMyl3KxLSB89wgvI8THpMgAH MKyv6PiSOk6IyXc3w0bbk/H6CpbJZZReOA7HWX8uUNy2zfzq/KGZsOUFpuC1WCR+ J7DbGDWjQbPm8BiYPLOtfziY/yvCiON7N0Iw9VTfu8JmjZ/1Dkn+PLMhphNWxZ0K gCKukIl8/RQcy8VPSntVriKD43kEsSR854GbJq57DfUgZbBGmo7IKCRepHpijjyj 0GyVtwhI24rgMRasmoOIr6QK6x6+zom3RkusZCQs3u0U1vpqHI70R9eiPbORgiYS mkX9CQtN6rOlZtDgtZ7ZFuSzO2TWSTRAYBXArdov4CsWjTP+YsxT9TJ5cLhKopk= =IoWl -----END PGP SIGNATURE----- |
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
