On 2016-10-21 09:58, Leandro Barragan wrote:
James, thanks for your advice! I've read your email on this list about
LibreSSL. I tried to compile Squid with LibreSSL in the first place
because of what you wrote about ChaCha20. But unfortunately, I
couldn't, compilation stopped because of some obscure error.
Do you remember what version of squid and libressl you used? BTW I
tried with OpenSSL 1.0.2g applying the CloudFare ChaCha20 patch, but
it doesn't work either, same error (unknown cipher)
Thanks!
On 21 October 2016 at 10:55, James Lay <jlay@xxxxxxxxxxxxxxxxxxx>
wrote:
On 2016-10-20 20:15, Leandro Barragan wrote:
Thanks for your time Alex! I modified my original config based on
Amos
recommendations, so I think now I have a more consistent peek &
splice
config:
acl TF ssl::server_name_regex -i facebook fbcdn twitter reddit
ssl_bump peek all
ssl_bump terminate TF
ssl_bump splice all
As you mentioned, terminate closes the connection, it doesn't serve
an
error page (when it works, i.e. with reddit and twitter).
I've compiled Squid 3.5.22 using OpenSSL 1.0.2j and I'm having the
same exact issue, even with this new config. Based on what you
explained, I think it's a OpenSSL problem and Squid can't do anything
about it. I have two reasons to believe that:
1) The "unknown cipher returned" error get's triggered on terminated
and non terminated (e.g. microsoft.com) sites, which makes me think
it
has nothing to do with Squid ACLs.
2) All problematic sites use a new cipher called "ChaCha20" (E.g.
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256....according to Qualys
online analyzer and TestSSLServer tool)
A lot of sites are using this new cipher. I'm back at the beginning,
I
will continue trying to compile Squid with patched versions of
OpenSSL
or LibreSSL.
Thanks!
On 20 October 2016 at 01:01, Alex Rousskov
<rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 10/19/2016 12:44 AM, Leandro Barragan wrote:
error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher
returned (1/-1/0)
I fail to see why is this happening. I only need to peek on the
connection and make a decision based on SNI,
Please note that "peek and make a decision based on SNI" is not what
your configuration tells Squid to do. Your configuration tells Squid
to
peek during step2, which means making a decision based on server
certificates (and SNI).
I'm not Bumping, so I
don't understand why ciphers matter in my situation.
The ciphers matter because Squid v3 uses OpenSSL parsers during
step1,
step2, and step3. FWIW, Squid v4 uses OpenSSL parsers during step2
(a
little) and step3. It is possible to completely remove OpenSSL from
step2 but there is currently no project to do that AFAIK.
ssl_bump peek all step1
ssl_bump peek all step2
ssl_bump terminate face step3
ssl_bump terminate twitter step3
ssl_bump splice all step3
BTW, "step1", "step2", and "step3" ACLs do nothing useful in the
above
config. You can safely remove them to arrive at the equivalent
ssl_bump
configuration.
On 10/19/2016 07:42 AM, Amos Jeffries wrote:
Terminate means impersonating the server and responding to the
client
with an HTTPS error page.
Terminate means "close client and server connections immediately".
The
problem is not with the terminate action but with peeking (which
relies
on OpenSSL, especially during step2, especially in Squid v3).
HTH,
Alex.
FWIW I've had great success with the git version of libressl and using
the
below:
./configure --prefix=/opt/libressl
and for squid:
./configure --prefix=/opt --with-openssl=/opt/libressl --enable-ssl
--enable-ssl-crtd
James
I'm currently using squid-3.5.22 and using the below git for libressl:
commit b7ba692f72f232602efb3e720ab0510406bae69c
Author: Brent Cook <bcook@xxxxxxxxxxx>
Date: Wed Sep 14 23:40:10 2016 -0500
What's the error you're getting when you try and compile?
James
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
