Search squid archive

Re: Squid 4: Cloudflare SSL connection problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Ok, nobody.

Well.

I've done my own research.

My suggestions:

CloudFlare now uses it's own custom OpenSSL 1.0.2 with very custom patches with CHACHA Poly support.

This patches is not in upstream. Moreover, OpenSSL team no plans in the foreseeable future to support the latest ciphers.

So, Squid 4 can't handshake TLS with CF right now. Possible it is Squid 4.x branch bug. Because of 3.5.x does CF handshake.

LibreSSL does CHACHA right now.

The question is:

Amos, does Squid can support LibreSSL and, if no, when you plan to support?

14.04.16 20:38, Yuri Voinov пишет:
>
> Any ideas?
>
> Anybody?
>
> 13.04.16 2:37, Yuri Voinov пишет:
>
>
>       > I suggests the matter can be openssl not OS:
>
>
>
>       > root @ cthulhu /patch # openssl version -a
>
>       > OpenSSL 1.0.1s  1 Mar 2016
>
>       > built on: Tue Mar  1 15:42:26 2016
>
>       > platform: solaris64-x86_64-cc-sunw
>
>       > options:  bn(64,64) rc4(16x,int) des(ptr,cisc,16,int)
>       idea(int) blowfish(ptr)
>
>       > compiler: /opt/solarisstudio12.4/bin/cc -I. -I..
>       -I../include  -KPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
>       -DDSO_DLFCN -DHAVE_DLFCN_H
>       -DPK11_LIB_LOCATION="/usr/lib/64/libpkcs11.so" -DHAVE_ISSETUGID
>       -DAV_SPARC_FJAES=0 -xO3 -m64 -xstrconst -Xa -DL_ENDIAN
>       -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
>       -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
>       -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
>       -DGHASH_ASM
>
>       > OPENSSLDIR: "/etc/opt/csw/ssl"
>
>
>
>
>
>       > 13.04.16 2:29, Yuri Voinov пишет:
>
>
>
>
>
>       >       > root @ cthulhu /patch # dig www.cloudflare.com
>
>
>
>
>
>
>
>       >       > ; <<>> DiG 9.6-ESV-R11-P4
>       <<>>
>
>       >       www.cloudflare.com
>
>
>
>       >       > ;; global options: +cmd
>
>
>
>       >       > ;; Got answer:
>
>
>
>       >       > ;; ->>HEADER<<- opcode: QUERY, status:
>       NOERROR,
>
>       >       id: 32548
>
>
>
>       >       > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2,
>       AUTHORITY: 0,
>
>       >       ADDITIONAL: 0
>
>
>
>
>
>
>
>       >       > ;; QUESTION SECTION:
>
>
>
>       >       > ;www.cloudflare.com.            IN      A
>
>
>
>
>
>
>
>       >       > ;; ANSWER SECTION:
>
>
>
>       >       > www.cloudflare.com.     86400   IN      A     
>
>       >       198.41.214.162
>
>
>
>       >       > www.cloudflare.com.     86400   IN      A     
>
>       >       198.41.215.162
>
>
>
>
>
>
>
>       >       > ;; Query time: 538 msec
>
>
>
>       >       > ;; SERVER: 127.0.0.1#53(127.0.0.1)
>
>
>
>       >       > ;; WHEN: Wed Apr 13 02:28:34 ALMT 2016
>
>
>
>       >       > ;; MSG SIZE  rcvd: 68
>
>
>
>
>
>
>
>       >       > root @ cthulhu /patch # uname -a
>
>
>
>       >       > SunOS cthulhu 5.10 Generic_150401-30 i86pc i386
>       i86pc Solaris
>
>
>
>
>
>
>
>       >       > But I think OS does not matter here.
>
>
>
>
>
>
>
>       >       > 13.04.16 2:02, Eliezer Croitoru пишет:
>
>
>
>       >       > > What "dig www.cloudflare.com"
>
>
>
>       >       >       results with?
>
>
>
>
>
>
>
>       >       >       > Also what OS are you using? I am using
>       CentOS 7 up
>
>       >       to date...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       >       >       > Eliezer
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       >       >       > On 12/04/2016 21:39, Yuri Voinov wrote:
>
>
>
>
>
>
>
>       >       >       >> root @ cthulhu /patch # openssl
>       s_client
>
>       >       -cipher
>
>
>
>       >       >       'ECDHE-ECDSA-AES128-GCM-SHA256' -connect
>
>       >       www.cloudflare.com:443
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       >       >       >
>       _______________________________________________
>
>
>
>
>
>
>
>       >       >       > squid-users mailing list
>
>
>
>
>
>
>
>       >       >       > squid-users@xxxxxxxxxxxxxxxxxxxxx
>
>
>
>
>
>
>
>       >       >       >
>       http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
>
>
>
>
>
>
>
>
>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXD+IPAAoJENNXIZxhPexGhe4IAIdg3PLM/s5YxkP822HNwDA2
fbHLf9XcWe6koYNMMuHJ1NgN4thr5KtXEuQZBTno5TYFlce9P8PaXnnZCPD/xOjM
Bs+J705QG5tqDy5d7EYk606wiefXa8IuifLY0gQnZYjz0pM+CneJw8zVK47VrRwl
jUr/aohgAXuGfUcFMQyX/Jxc/mHHOdC2Pyd1R0qkw93r5LbppDQ5vuS/Hm2clTtt
bSIjFcPv7Ug+kNYp47g6WIoYjbBK7BPpWoolJMIf9p0sF7Scq7RCo30aViWBOcKh
TjVjZdwwTypW0tyLb89D2OKc1ieDVSk6HKcL+Ed1V0TMg2AakXmkXurRR73WP+o=
=umi3
-----END PGP SIGNATURE-----

Attachment: 0x613DEC46.asc
Description: application/pgp-keys

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux