On 22/09/2016 1:41 a.m., Сергин Александр wrote: > Hi, can you please explain me, does squid support ssl bumping with site > signed with GOST certificate? > The crypto details in squid.conf are almost always passed directly to the crypto library. So Squid supports what the library does. I don't know enough about the GOST ciphers to know if there is anything unusual needed from Squid. > I have OpenSSL 1.0.2d 9 Jul 2015 > > openssl engine > (dynamic) Dynamic engine loading support > *(gost) Reference implementation of GOST engine* > That would indicate the answer is yes, unless something unusual is needed. > > *openssl ciphers | grep GOST* > > *GOST2001-GOST89-GOST89:GOST94-GOST89-GOST89* > > /opt/squid/sbin/squid -v > Squid Cache: Version 3.5.19 > Service Name: squid > configure options: 'CFLAGS=-march=i686 -g -O2' 'CXXFLAGS=-march=i686 -g > -O2' '--prefix=/opt/squid-3.5.19-4' '--enable-async-io=32' > '--enable-storeio=ufs,aufs,rock,diskd' '--enable-disk-io' > '--enable-removal-policies=heap,lru' '--enable-useragent-log' > '--enable-referer-log' '--enable-arp-acl' '--with-openssl' > '--enable-forw-via-db' '--enable-cache-digests' '--enable-linux-netfilter' > '--enable-basic-auth=all' '--enable-ntlm-auth=all' > '--enable-ntlm-fail-open' '--enable-negotiate-auth=all' > '--enable-external-acl-helpers' '--with-filedescriptors=32768' > '--with-large-files' '--enable-delay-pools' '--enable-ssl-crtd' > '--disable-static' '--with-logdir=/var/log/squid' > '--with-pidfile=/var/run/squid.pid' > '--with-swapdir=/var/data/squid/cache' '--disable-arch-native' > > SSL bumping with dynamic certificates working well but when I try to go to > site with GOST certificate, > I see error - > > The system returned: > > (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) > > Handshake with SSL server failed: error:0609E09C:digital envelope > routines:PKEY_SET_TYPE:unsupported algorithm > > > Please explain me this Error please > The error is produced by OpenSSL. It means one endpoint of the Squid<->server connection has a crypto library that does not support one of the cipher algorithms the other endpoint is requiring. This is different from simply not being able to agree on a matching set of ciphers to use. One of the ciphers is actively non-supported for the use to which it is being attempted. It could be the cipher (server not supporting GOST?), a checksum hash (RC4, DES, SHA1 are frequently forbidden these days), or something else. NP: That is the limit of what I know about this error sorry. Good luck finding a fix. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
