James, thanks for your advice! I've read your email on this list about LibreSSL. I tried to compile Squid with LibreSSL in the first place because of what you wrote about ChaCha20. But unfortunately, I couldn't, compilation stopped because of some obscure error. Do you remember what version of squid and libressl you used? BTW I tried with OpenSSL 1.0.2g applying the CloudFare ChaCha20 patch, but it doesn't work either, same error (unknown cipher) Thanks! On 21 October 2016 at 10:55, James Lay <jlay@xxxxxxxxxxxxxxxxxxx> wrote: > On 2016-10-20 20:15, Leandro Barragan wrote: >> >> Thanks for your time Alex! I modified my original config based on Amos >> recommendations, so I think now I have a more consistent peek & splice >> config: >> >> acl TF ssl::server_name_regex -i facebook fbcdn twitter reddit >> ssl_bump peek all >> ssl_bump terminate TF >> ssl_bump splice all >> >> As you mentioned, terminate closes the connection, it doesn't serve an >> error page (when it works, i.e. with reddit and twitter). >> >> I've compiled Squid 3.5.22 using OpenSSL 1.0.2j and I'm having the >> same exact issue, even with this new config. Based on what you >> explained, I think it's a OpenSSL problem and Squid can't do anything >> about it. I have two reasons to believe that: >> >> 1) The "unknown cipher returned" error get's triggered on terminated >> and non terminated (e.g. microsoft.com) sites, which makes me think it >> has nothing to do with Squid ACLs. >> 2) All problematic sites use a new cipher called "ChaCha20" (E.g. >> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256....according to Qualys >> online analyzer and TestSSLServer tool) >> >> A lot of sites are using this new cipher. I'm back at the beginning, I >> will continue trying to compile Squid with patched versions of OpenSSL >> or LibreSSL. >> >> Thanks! >> >> On 20 October 2016 at 01:01, Alex Rousskov >> <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: >>> >>> On 10/19/2016 12:44 AM, Leandro Barragan wrote: >>> >>>>> error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher >>>>> returned (1/-1/0) >>> >>> >>>> I fail to see why is this happening. I only need to peek on the >>>> connection and make a decision based on SNI, >>> >>> >>> Please note that "peek and make a decision based on SNI" is not what >>> your configuration tells Squid to do. Your configuration tells Squid to >>> peek during step2, which means making a decision based on server >>> certificates (and SNI). >>> >>> >>>> I'm not Bumping, so I >>>> don't understand why ciphers matter in my situation. >>> >>> >>> The ciphers matter because Squid v3 uses OpenSSL parsers during step1, >>> step2, and step3. FWIW, Squid v4 uses OpenSSL parsers during step2 (a >>> little) and step3. It is possible to completely remove OpenSSL from >>> step2 but there is currently no project to do that AFAIK. >>> >>> >>>>> ssl_bump peek all step1 >>>>> ssl_bump peek all step2 >>>>> ssl_bump terminate face step3 >>>>> ssl_bump terminate twitter step3 >>>>> ssl_bump splice all step3 >>> >>> >>> BTW, "step1", "step2", and "step3" ACLs do nothing useful in the above >>> config. You can safely remove them to arrive at the equivalent ssl_bump >>> configuration. >>> >>> >>> On 10/19/2016 07:42 AM, Amos Jeffries wrote: >>>> >>>> Terminate means impersonating the server and responding to the client >>>> with an HTTPS error page. >>> >>> >>> Terminate means "close client and server connections immediately". The >>> problem is not with the terminate action but with peeking (which relies >>> on OpenSSL, especially during step2, especially in Squid v3). >>> >>> >>> HTH, >>> >>> Alex. > > > FWIW I've had great success with the git version of libressl and using the > below: > > ./configure --prefix=/opt/libressl > > and for squid: > > ./configure --prefix=/opt --with-openssl=/opt/libressl --enable-ssl > --enable-ssl-crtd > > James > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
