|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 So. Still has no ideas? 16.04.16 22:50, Yuri Voinov пишет: > > 3.5.16 on *NIX is also has this issue. > > Only 3.5.16 Win64 is works like sharm. > > 16.04.16 17:18, Yuri Voinov пишет: > > mozilla.org now has the same issue on Squid 4 like CloudFlare: > > > https://i1.someimage.com/P03GmSY.png > > > All ok but handshake does not complete: > > > root @ cthulhu / # /usr/local/bin/openssl s_client -connect > mozilla.org:443 -CApath /etc/ope/csw/ssl/certs > > CONNECTED(00000003) > > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert > High Assurance EV Root CA > > verify return:1 > > depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert > High Assurance EV CA-1 > > verify return:1 > > depth=0 businessCategory = Private Organization, > 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = California, > serialNumber = C2543436, street = 650 Castro St Ste 300, postalCode = > 94041, C = US, ST = California, L = Mountain View, O = Mozilla > Foundation, CN = www.mozilla.org > > verify return:1 > > --- > > Certificate chain > > 0 s:/businessCategory=Private > Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 > Castro St Ste 300/postalCode=94041/C=US/ST=California/L=Mountain > View/O=Mozilla Foundation/CN=www.mozilla.org > > i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High > Assurance EV CA-1 > > 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High > Assurance EV CA-1 > > i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High > Assurance EV Root CA > > --- > > Server certificate > > -----BEGIN CERTIFICATE----- > > MIIHWTCCBkGgAwIBAgIQBQ5gs8e9nTbV62rD+8G95jANBgkqhkiG9w0BAQUFADBp > > MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 > > d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j > > ZSBFViBDQS0xMB4XDTE1MTEyNDAwMDAwMFoXDTE2MTIyOTEyMDAwMFowggEFMR0w > > GwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJV > > UzEbMBkGCysGAQQBgjc8AgECEwpDYWxpZm9ybmlhMREwDwYDVQQFEwhDMjU0MzQz > > NjEeMBwGA1UECRMVNjUwIENhc3RybyBTdCBTdGUgMzAwMQ4wDAYDVQQREwU5NDA0 > > MTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v > > dW50YWluIFZpZXcxGzAZBgNVBAoTEk1vemlsbGEgRm91bmRhdGlvbjEYMBYGA1UE > > AxMPd3d3Lm1vemlsbGEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC > > AQEAuHHB4NGHII28Vm4WrSFjZN5YM0bEBuVbPcwbwBAEinRe9Iwwwye359vVs24o > > 5YRnSkjkJYfrXHEb8f836GXBotN1xcxsrOi7brTJcA4qeE5ntby6V6wdlxKEy5mt > > 2Fd9P7wl9v1UlXmHyFxpF9UlDDoSuiDGUO+Q0U9lipKOrKoA3Q1Uzp/ntwrZL01B > > V4AUgTQf6b1HLu3ZD8CUG9xrq4Isi4OIMaJQX+kVwrQqxLe3Ahmjq9uP2iXAiLf7 > > aVluTyFgfAfvv1/pf0193zgQoe0oGDReh5/QrbO6j+XtV2sHDnDen+mQO2/GNwET > > fQPCIKIroGf4JUnftt7Cwz1KmQIDAQABo4IDXTCCA1kwHwYDVR0jBBgwFoAUTFjL > > JfBBT1L0KMiBQ5umqKDmkuUwHQYDVR0OBBYEFIPU1A81pLqLvmE3YsGWDTbHxzc5 > > MCcGA1UdEQQgMB6CD3d3dy5tb3ppbGxhLm9yZ4ILbW96aWxsYS5vcmcwDgYDVR0P > > AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBjBgNVHR8E > > XDBaMCugKaAnhiVodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vZXZjYTEtZzUuY3Js > > MCugKaAnhiVodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vZXZjYTEtZzUuY3JsMEsG > > A1UdIAREMEIwNwYJYIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3 > > LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQEwfQYIKwYBBQUHAQEEcTBvMCQGCCsG > > AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRwYIKwYBBQUHMAKGO2h0 > > dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VF > > VkNBLTEuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoB > > aAB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABUTfFoGwAAAQD > > AEcwRQIgPZSqJS9xxOfr4sFkB73ocAWRnHK4/fgEkIvVubEtLwkCIQDIXB59Y1A4 > > SgdJPmwIeRXjshq7jkmz7mgc0Nap53UG2AB2AGj2mPgfZIK+OozuuSgdTPxxUV1n > > k9RE0QpnrLtPT/vEAAABUTfFoJ0AAAQDAEcwRQIgUGvntxlKFSY7iveb6BCCdGhs > > 28DU5EF1TcFH4DHAnX0CIQDstuSiKY0gs3YJ6x4S+GOxuK7V/8zEhNF7vEYADCPX > > 6QB2AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABUTfFoVUAAAQD > > AEcwRQIhAInj1bkZoUGmg39jrIN0z9tAmjPPc39UW3X/xP49q3C1AiBLG+iv0BKe > > sbUPcoFF6DYlr+rp7fbplMYNT60UnVAlrTANBgkqhkiG9w0BAQUFAAOCAQEAvc7m > > sTP08cANcDPsPyEKXAvv9CW1ugYLUK4XC/JylqCiluDYbgazfjRTraTbDNlmXk+Y > > SEVBFGJX005hIhn/qztA/+p2XEcnMJWy1cyCflxdQKWn51XGhN1jlTAa31Ps7WI/ > > YPAL2taqn5EBDtUFT5790/ve09Fnyhh6elnXuy9ujJRCuVn+oXTtKlhVrIjEjzZ9 > > zFyyv3SaTWX9xb9MBfOPaO6cGihHjhAo4mj3X6fJsvEnNGqs/NJXCpwiprjbidjL > > yeKPUhN2/hSSDAmzFd4X+B1Xx7cUXWkJHQrfosFSoiRDYmX/JnAgr0ObibjKuWPV > > 9Rs6HCB6QKS3grfX/w== > > -----END CERTIFICATE----- > > subject=/businessCategory=Private > Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 > Castro St Ste 300/postalCode=94041/C=US/ST=California/L=Mountain > View/O=Mozilla Foundation/CN=www.mozilla.org > > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High > Assurance EV CA-1 > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 4163 bytes and written 446 bytes > > --- > > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 > > Server public key is 2048 bit > > Secure Renegotiation IS supported > > Compression: NONE > > Expansion: NONE > > No ALPN negotiated > > SSL-Session: > > Protocol : TLSv1.2 > > Cipher : ECDHE-RSA-AES128-GCM-SHA256 > > Session-ID: > E32E470329327A2E39ADDEB384FBB9D351103F1BBA798A47EBFFF121C5001CCA > > Session-ID-ctx: > > Master-Key: > D2C6E671DB649951C999E1DF83DC038852215500C57F81E4660AFB7ED96039C76E8A384F3ED78A44BBD129C56DD6F45B > > Start Time: 1460805325 > > Timeout : 300 (sec) > > Verify return code: 0 (ok) > > --- > > > access.log also got NONE/503: > > > 1460805179.734 0 192.168.100.103 NONE/503 3944 GET > https://www.mozilla.org/favicon.ico - HIER_NONE/- text/html > > > and cache.log: > > > 2016/04/16 17:12:59 kid1| Error negotiating SSL on FD 56: > error:00000000:lib(0):func(0):reason(0) (5/0/0) > > > 15.04.16 15:17, Amos Jeffries пишет: > >> On 15/04/2016 6:31 a.m., Yuri Voinov wrote: > >>> Ok, nobody. > >>> > >>> Well. > >>> > >>> I've done my own research. > >>> > >>> My suggestions: > >>> > >>> CloudFlare now uses it's own custom OpenSSL 1.0.2 with very custom > >>> patches with CHACHA Poly support. > >>> > >>> This patches is not in upstream. Moreover, OpenSSL team no plans in the > >>> foreseeable future to support the latest ciphers. > >>> > >>> So, Squid 4 can't handshake TLS with CF right now. Possible it is Squid > >>> 4.x branch bug. Because of 3.5.x does CF handshake. > >>> > >>> LibreSSL does CHACHA right now. > >>> > >>> The question is: > >>> > >>> Amos, does Squid can support LibreSSL and, if no, when you plan to > support? > >> Yes Squid does support LibreSSL. You can build against it with the > >> --with-openssl configure option, maybe using a =path parameter to ensure > >> it dont find an OpenSSL install. > >> > >> The difference between LibreSSL and OpenSSL is likely to be more visible > >> in the squid.conf settings that it will accept and those that it > >> rejects. They are still basically the same but I know that the LibreSSL > >> guys are being very proactive removing old things like SSLv2 support. So > >> those config options wont work even when Squid-3.5 normally would > >> accepts them with OpenSSL. > >> > >> Amos > >> _______________________________________________ > >> squid-users mailing list > >> squid-users@xxxxxxxxxxxxxxxxxxxxx > >> http://lists.squid-cache.org/listinfo/squid-users > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXEm6DAAoJENNXIZxhPexGcRgIAKsvCRwsmEyeIKeFy6RN+Bui DKzfFn5iOLb9IZeG+dBAyDKVXeOey5IHqP+ACwQIjvxdh2NPNVbVvryqZohjCf6n mMF5RPrSrpi6pxiN3ptC5HDlWrI3DmQ1nqhMm/gvO0Iw2WYNLyQlxD7SD03f43IX uKJdW+Q2REO5ulSG70mY3WT+D+02tR3WHVXxhs6na+xts+y7Yw9cO8NNxuhk+fqK LfWc1LWevwmBLEsXSiosfQxwRmpRA2e83jRbg/MbmqUjJHA3Gpbw2q3n3Wfh7cJJ QgYAuzpAk/fLHeKQ2sWwUKP+eD+4Lt7SrWL/8jWEYZ4npO6jOzh+u2F5XZlPSzA= =/UXE -----END PGP SIGNATURE----- |
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
