|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Strange: connect directly from server via wget using proxy is works: root @ cthulhu /tmp # wget -S https://cloudflare.com - --2016-04-15 02:19:41-- https://cloudflare.com/ Connecting to 127.0.0.1:3128... connected. Proxy request sent, awaiting response... HTTP/1.1 302 Moved Temporarily Server: cloudflare-nginx Date: Thu, 14 Apr 2016 20:19:41 GMT Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dfeddf543b09766778140e887d88543c71460665181; expires=Fri, 14-Apr-17 20:19:41 GMT; path=/; domain=.cloudflare.com; HttpOnly Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Location: https://www.cloudflare.com/ CF-RAY: 2939daab044b2654-FRA Location: https://www.cloudflare.com/ [following] - --2016-04-15 02:19:41-- https://www.cloudflare.com/ Connecting to 127.0.0.1:3128... connected. Proxy request sent, awaiting response... HTTP/1.1 200 OK Server: cloudflare-nginx Date: Thu, 14 Apr 2016 20:19:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Last-Modified: Thu, 14 Apr 2016 19:46:02 GMT Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src 'self' https://*; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://* data:; img-src 'self' https://* data:; style-src 'self' 'unsafe-inline' https://*; font-src 'self' https://* data:; frame-src https://*; connect-src 'self' data: https://* X-XSS-Protection: 1; mode=block CF-Cache-Status: HIT Vary: Accept-Encoding Expires: Fri, 15 Apr 2016 00:19:42 GMT Cache-Control: public, max-age=14400 CF-RAY: 2939daae503c0f75-FRA Length: unspecified [text/html] Saving to: 'index.html.1' index.html.1 [ <=> ] 15.23K --.-KB/s in 0.1s 2016-04-15 02:19:42 (121 KB/s) - 'index.html.1' saved [15597] But clients behind proxy can't handshake. 15.04.16 0:40, Yuri Voinov пишет: > > Finally. > > 1. Squid 4 can be built with LibreSSL. > 2. Squid 4 with LibreSSL start supporting CHACHA20_POLY1305 cryptography. > 3. Squid 4 with LibreSSL still can't connect with CloudFlare itself. > > WBR, Yuri. > > PS. I suggests bug in 4.x branch specific for CF handshake. > > 15.04.16 0:31, Yuri Voinov пишет: > > > > Ok, nobody. > > > > > Well. > > > > > I've done my own research. > > > > > My suggestions: > > > > > CloudFlare now uses it's own custom OpenSSL 1.0.2 with very > custom patches with CHACHA Poly support. > > > > > This patches is not in upstream. Moreover, OpenSSL team no > plans in the foreseeable future to support the latest ciphers. > > > > > So, Squid 4 can't handshake TLS with CF right now. Possible > it is Squid 4.x branch bug. Because of 3.5.x does CF handshake. > > > > > LibreSSL does CHACHA right now. > > > > > The question is: > > > > > Amos, does Squid can support LibreSSL and, if no, when you > plan to support? > > > > > 14.04.16 20:38, Yuri Voinov пишет: > > > > > > > > Any ideas? > > > > > > > > > > Anybody? > > > > > > > > > > 13.04.16 2:37, Yuri Voinov пишет: > > > > > > > > > > > > > > > I suggests the matter can be openssl > not OS: > > > > > > > > > > > > > > > > > > > root @ cthulhu /patch # openssl version > -a > > > > > > > > > > > OpenSSL 1.0.1s 1 Mar 2016 > > > > > > > > > > > built on: Tue Mar 1 15:42:26 2016 > > > > > > > > > > > platform: solaris64-x86_64-cc-sunw > > > > > > > > > > > options: bn(64,64) rc4(16x,int) > > > des(ptr,cisc,16,int) > > > > > > idea(int) blowfish(ptr) > > > > > > > > > > > compiler: /opt/solarisstudio12.4/bin/cc > -I. -I.. > > > > > > -I../include -KPIC -DOPENSSL_PIC > -DOPENSSL_THREADS > > > -D_REENTRANT > > > > > > -DDSO_DLFCN -DHAVE_DLFCN_H > > > > > > > -DPK11_LIB_LOCATION="/usr/lib/64/libpkcs11.so" > > > -DHAVE_ISSETUGID > > > > > > -DAV_SPARC_FJAES=0 -xO3 -m64 -xstrconst -Xa > -DL_ENDIAN > > > > > > -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > > > -DOPENSSL_BN_ASM_MONT5 > > > > > > -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM > -DSHA256_ASM > > > -DSHA512_ASM > > > > > > -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM > > > -DWHIRLPOOL_ASM > > > > > > -DGHASH_ASM > > > > > > > > > > > OPENSSLDIR: "/etc/opt/csw/ssl" > > > > > > > > > > > > > > > > > > > > > > > > > > > 13.04.16 2:29, Yuri Voinov пишет: > > > > > > > > > > > > > > > > > > > > > > > > > > > > root @ cthulhu /patch # dig > > > www.cloudflare.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ; <<>> DiG > 9.6-ESV-R11-P4 > > > > > > <<>> > > > > > > > > > > > www.cloudflare.com > > > > > > > > > > > > > > > > > > > > ;; global options: +cmd > > > > > > > > > > > > > > > > > > > > ;; Got answer: > > > > > > > > > > > > > > > > > > > > ;; ->>HEADER<<- > opcode: > > > QUERY, status: > > > > > > NOERROR, > > > > > > > > > > > id: 32548 > > > > > > > > > > > > > > > > > > > > ;; flags: qr rd ra; QUERY: > 1, ANSWER: > > > 2, > > > > > > AUTHORITY: 0, > > > > > > > > > > > ADDITIONAL: 0 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ;; QUESTION SECTION: > > > > > > > > > > > > > > > > > > > > > ;www.cloudflare.com. IN > > > A > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ;; ANSWER SECTION: > > > > > > > > > > > > > > > > > > > > www.cloudflare.com. > 86400 IN > > > A > > > > > > > > > > > 198.41.214.162 > > > > > > > > > > > > > > > > > > > > www.cloudflare.com. > 86400 IN > > > A > > > > > > > > > > > 198.41.215.162 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ;; Query time: 538 msec > > > > > > > > > > > > > > > > > > > > ;; SERVER: > 127.0.0.1#53(127.0.0.1) > > > > > > > > > > > > > > > > > > > > ;; WHEN: Wed Apr 13 02:28:34 > ALMT 2016 > > > > > > > > > > > > > > > > > > > > ;; MSG SIZE rcvd: 68 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > root @ cthulhu /patch # > uname -a > > > > > > > > > > > > > > > > > > > > SunOS cthulhu 5.10 > Generic_150401-30 > > > i86pc i386 > > > > > > i86pc Solaris > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > But I think OS does not > matter here. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 13.04.16 2:02, Eliezer > Croitoru пишет: > > > > > > > > > > > > > > > > > > > > > What "dig > www.cloudflare.com" > > > > > > > > > > > > > > > > > > > > results with? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Also what OS are > you using? > > > I am using > > > > > > CentOS 7 up > > > > > > > > > > > to date... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Eliezer > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 12/04/2016 > 21:39, Yuri > > > Voinov wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >> root @ > cthulhu /patch # > > > openssl > > > > > > s_client > > > > > > > > > > > -cipher > > > > > > > > > > > > > > > > > > > > > 'ECDHE-ECDSA-AES128-GCM-SHA256' > > > -connect > > > > > > > > > > > www.cloudflare.com:443 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > squid-users > mailing list > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://lists.squid-cache.org/listinfo/squid-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXD/vdAAoJENNXIZxhPexGHUgIALjkentpBtLulIyNbIlxtLLq t5YHwsOUP9ZDEA8AieD1HN3DXkno3JFwxGxQ1G5hL/wkbKP685NnmJ+LQeYoEhDC tyqMQjx1aZfPm0dHv4IpiNrCYw2ViP3lArKp1g36Q6aD6pE98hciOhTkBvgu50b6 yRZGPWV7fHySXjRW+3SuoeLoZ/J7R4sA0MRh9iBpU2HkrQDSrdT70jXMogWDyqey +/SEGpCBmB8RbvKpL5tJLPqcv9lSa9TRTWSyg1JpKAJHC3w/5dPTgiaE3vcRMiGI rkd1cpz81PkEb4v5ndTs67watmidy+DB6Xs5LUZV5gq2zOHElXIOXn1rFUPrdNs= =gN9e -----END PGP SIGNATURE----- |
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
