|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 18.04.16 22:11, Guy Helmer пишет: > >> On Apr 17, 2016, at 5:50 AM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote: >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> *NIX means UNIX. Solaris is AT&T UNIX. Linux is not UNIX (C) Linus Torvalds. :) We are not speaking about all possible OS'es. I suggests the matter in SSL/TLS, not OS or hands or something similar. >> >> The problem is in CF, I think. As a maximum in peek-n-splice. >> >> >> Because of I've not changed my squid.conf over last year, but approx. in january 2016 CloudFlare stopped work via proxy, as said my field SA. AFAIK, CF change own security settings. Also, I suggests, mozilla .org also moved behind CF. >> >> Ok, let's talk about squid.conf. SSL-related rows are here: >> >> # SSL bump rules >> acl DiscoverSNIHost at_step SslBump1 >> acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/squid/etc/url.nobump" >> acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/squid/etc/url.tor" >> ssl_bump peek DiscoverSNIHost >> ssl_bump splice NoSSLIntercept >> ssl_bump bump all >> >> http_port 3126 intercept >> https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS >> http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS >> tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt options=SINGLE_DH_USE,SINGLE_ECDH_USE cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS >> sslproxy_foreign_intermediate_certs /usr/local/squid/etc/intermediate_ca.pem >> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB >> >> I see no anomalies in this lines. Ciphersuite is very relaxed. >> >> Also, if we discuss a bug - may be better to turn on debug to know, why 4.x got first NONE_ABORTED/200 during CONNECT phase and then NONE/503 during TLS negotiate? > > Hi, Yuri, > > If I understand correctly, the issue is between squid and the origin proxy. In case it would help, have you enabled ECDH sslproxy_options or sslproxy_cipher settings in this snippet that would enable Squid to use ECDH when talking to the origin servers? As you can see above - yes, ECDH enabled, and I've checked it via Qualys SSL Labs - Projects / SSL Client Test <https://www.ssllabs.com/ssltest/viewMyClient.html>. Also another sites utilize ECDH with this setup like sharm. > > > Do you happen to have a packet capture between your squid server and a CloudFlare server that could help diagnose the TLS protocol’s problem? Not now. First this issue occurs onto production environment, which has own DMZ and heavy enough traffic from a few dozen customers. Some difficults to isolate one transaction with sniffing. > > > Regards, > Guy > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXFQ1UAAoJENNXIZxhPexGEJYH/jkPrxiY9ztyltmoXJLeYsMy YxuGgtFWyW96Z8HZ1Zf9BzucDGAvUdfTLnvZb/4dh22bs+COQbX2s53RcSqGAJaP CVfRG4AgU+R8AUNA9nLxAbM4NQM4EAbB16ZsF8jeyZzJXPiRjozLtDjo1vMslJtV 791L5gn//izooJAlLMNKxoSy37RniEcaRLnuol+xVb4jqfx3nWo4lQzWnS2cXe5k YFIb4X8uTEo6lgH8Ld8FHQYRq6KZz11TZbQ+ft5CKFY5pqNqLP+Cjrq1bgTUgKVK WA0F96GR9IECDe4pWCPXnX2bijTax5nY9NNs/rA1Pawch4j4ZyUY2I/M9ngI6RU= =Y/pM -----END PGP SIGNATURE----- |
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
