-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 3.5.16 on *NIX is also has this issue. Only 3.5.16 Win64 is works like sharm. 16.04.16 17:18, Yuri Voinov пишет: > mozilla.org now has the same issue on Squid 4 like CloudFlare: > > https://i1.someimage.com/P03GmSY.png > > All ok but handshake does not complete: > > root @ cthulhu / # /usr/local/bin/openssl s_client -connect mozilla.org:443 -CApath /etc/ope/csw/ssl/certs > CONNECTED(00000003) > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA > verify return:1 > depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV CA-1 > verify return:1 > depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = California, serialNumber = C2543436, street = 650 Castro St Ste 300, postalCode = 94041, C = US, ST = California, L = Mountain View, O = Mozilla Foundation, CN = www.mozilla.org > verify return:1 > --- > Certificate chain > 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=California/L=Mountain View/O=Mozilla Foundation/CN=www.mozilla.org > i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 > 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 > i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIHWTCCBkGgAwIBAgIQBQ5gs8e9nTbV62rD+8G95jANBgkqhkiG9w0BAQUFADBp > MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 > d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j > ZSBFViBDQS0xMB4XDTE1MTEyNDAwMDAwMFoXDTE2MTIyOTEyMDAwMFowggEFMR0w > GwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJV > UzEbMBkGCysGAQQBgjc8AgECEwpDYWxpZm9ybmlhMREwDwYDVQQFEwhDMjU0MzQz > NjEeMBwGA1UECRMVNjUwIENhc3RybyBTdCBTdGUgMzAwMQ4wDAYDVQQREwU5NDA0 > MTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v > dW50YWluIFZpZXcxGzAZBgNVBAoTEk1vemlsbGEgRm91bmRhdGlvbjEYMBYGA1UE > AxMPd3d3Lm1vemlsbGEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC > AQEAuHHB4NGHII28Vm4WrSFjZN5YM0bEBuVbPcwbwBAEinRe9Iwwwye359vVs24o > 5YRnSkjkJYfrXHEb8f836GXBotN1xcxsrOi7brTJcA4qeE5ntby6V6wdlxKEy5mt > 2Fd9P7wl9v1UlXmHyFxpF9UlDDoSuiDGUO+Q0U9lipKOrKoA3Q1Uzp/ntwrZL01B > V4AUgTQf6b1HLu3ZD8CUG9xrq4Isi4OIMaJQX+kVwrQqxLe3Ahmjq9uP2iXAiLf7 > aVluTyFgfAfvv1/pf0193zgQoe0oGDReh5/QrbO6j+XtV2sHDnDen+mQO2/GNwET > fQPCIKIroGf4JUnftt7Cwz1KmQIDAQABo4IDXTCCA1kwHwYDVR0jBBgwFoAUTFjL > JfBBT1L0KMiBQ5umqKDmkuUwHQYDVR0OBBYEFIPU1A81pLqLvmE3YsGWDTbHxzc5 > MCcGA1UdEQQgMB6CD3d3dy5tb3ppbGxhLm9yZ4ILbW96aWxsYS5vcmcwDgYDVR0P > AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBjBgNVHR8E > XDBaMCugKaAnhiVodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vZXZjYTEtZzUuY3Js > MCugKaAnhiVodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vZXZjYTEtZzUuY3JsMEsG > A1UdIAREMEIwNwYJYIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3 > LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQEwfQYIKwYBBQUHAQEEcTBvMCQGCCsG > AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRwYIKwYBBQUHMAKGO2h0 > dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VF > VkNBLTEuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoB > aAB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABUTfFoGwAAAQD > AEcwRQIgPZSqJS9xxOfr4sFkB73ocAWRnHK4/fgEkIvVubEtLwkCIQDIXB59Y1A4 > SgdJPmwIeRXjshq7jkmz7mgc0Nap53UG2AB2AGj2mPgfZIK+OozuuSgdTPxxUV1n > k9RE0QpnrLtPT/vEAAABUTfFoJ0AAAQDAEcwRQIgUGvntxlKFSY7iveb6BCCdGhs > 28DU5EF1TcFH4DHAnX0CIQDstuSiKY0gs3YJ6x4S+GOxuK7V/8zEhNF7vEYADCPX > 6QB2AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABUTfFoVUAAAQD > AEcwRQIhAInj1bkZoUGmg39jrIN0z9tAmjPPc39UW3X/xP49q3C1AiBLG+iv0BKe > sbUPcoFF6DYlr+rp7fbplMYNT60UnVAlrTANBgkqhkiG9w0BAQUFAAOCAQEAvc7m > sTP08cANcDPsPyEKXAvv9CW1ugYLUK4XC/JylqCiluDYbgazfjRTraTbDNlmXk+Y > SEVBFGJX005hIhn/qztA/+p2XEcnMJWy1cyCflxdQKWn51XGhN1jlTAa31Ps7WI/ > YPAL2taqn5EBDtUFT5790/ve09Fnyhh6elnXuy9ujJRCuVn+oXTtKlhVrIjEjzZ9 > zFyyv3SaTWX9xb9MBfOPaO6cGihHjhAo4mj3X6fJsvEnNGqs/NJXCpwiprjbidjL > yeKPUhN2/hSSDAmzFd4X+B1Xx7cUXWkJHQrfosFSoiRDYmX/JnAgr0ObibjKuWPV > 9Rs6HCB6QKS3grfX/w== > -----END CERTIFICATE----- > subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=California/L=Mountain View/O=Mozilla Foundation/CN=www.mozilla.org > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 > --- > No client certificate CA names sent > --- > SSL handshake has read 4163 bytes and written 446 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES128-GCM-SHA256 > Session-ID: E32E470329327A2E39ADDEB384FBB9D351103F1BBA798A47EBFFF121C5001CCA > Session-ID-ctx: > Master-Key: D2C6E671DB649951C999E1DF83DC038852215500C57F81E4660AFB7ED96039C76E8A384F3ED78A44BBD129C56DD6F45B > Start Time: 1460805325 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > > access.log also got NONE/503: > > 1460805179.734 0 192.168.100.103 NONE/503 3944 GET https://www.mozilla.org/favicon.ico - HIER_NONE/- text/html > > and cache.log: > > 2016/04/16 17:12:59 kid1| Error negotiating SSL on FD 56: error:00000000:lib(0):func(0):reason(0) (5/0/0) > > 15.04.16 15:17, Amos Jeffries пишет: >> On 15/04/2016 6:31 a.m., Yuri Voinov wrote: >>> Ok, nobody. >>> >>> Well. >>> >>> I've done my own research. >>> >>> My suggestions: >>> >>> CloudFlare now uses it's own custom OpenSSL 1.0.2 with very custom >>> patches with CHACHA Poly support. >>> >>> This patches is not in upstream. Moreover, OpenSSL team no plans in the >>> foreseeable future to support the latest ciphers. >>> >>> So, Squid 4 can't handshake TLS with CF right now. Possible it is Squid >>> 4.x branch bug. Because of 3.5.x does CF handshake. >>> >>> LibreSSL does CHACHA right now. >>> >>> The question is: >>> >>> Amos, does Squid can support LibreSSL and, if no, when you plan to support? >> Yes Squid does support LibreSSL. You can build against it with the >> --with-openssl configure option, maybe using a =path parameter to ensure >> it dont find an OpenSSL install. >> >> The difference between LibreSSL and OpenSSL is likely to be more visible >> in the squid.conf settings that it will accept and those that it >> rejects. They are still basically the same but I know that the LibreSSL >> guys are being very proactive removing old things like SSLv2 support. So >> those config options wont work even when Squid-3.5 normally would >> accepts them with OpenSSL. >> >> Amos >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXEm1cAAoJENNXIZxhPexGWV8IALf6vko/r2iYJzwqnubial+w JBgJQrZHnVLxXHhDJjBEwiJjQtFwZz61drJ60a6mV4TJn6VS1D0pFSbLkdiatUpG jmWMKq5axZd4rWtH4H8ukF1l849hA1+GQ8Y/N586NMXcRmRBbhfG9vd312Y2i6cv ShQLg5v5YIW5OS9SFGVY/8rV6njBhvBn+N0RSoXRgOSow3NT9oMihjDmU0ZHIh7o uM/3dWG02xJej5yjF3ewNUOLIBIvl10HvDumG3AdhA+9h+1lf+ycZ2HzSui0P185 dFlVo4foVam+vBF9TIY2AKVgOTFltkE597PxS6W+WcC1MUBhDOlnz8AU90Bpb64= =Mekx -----END PGP SIGNATURE-----
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
