Thanks a lot James, compiling Squid 3.5.22 using that specific commit of LibreSSL worked as a charm! I no longer have that "unknown cipher returned" errors. I do have some errors with a tiny amount of sites, but I suppose its because of server-side misconfigurations that LibreSSL simply don't like. On 21 October 2016 at 13:01, James Lay <jlay@xxxxxxxxxxxxxxxxxxx> wrote: > On 2016-10-21 09:58, Leandro Barragan wrote: >> >> James, thanks for your advice! I've read your email on this list about >> LibreSSL. I tried to compile Squid with LibreSSL in the first place >> because of what you wrote about ChaCha20. But unfortunately, I >> couldn't, compilation stopped because of some obscure error. >> >> Do you remember what version of squid and libressl you used? BTW I >> tried with OpenSSL 1.0.2g applying the CloudFare ChaCha20 patch, but >> it doesn't work either, same error (unknown cipher) >> >> Thanks! >> >> On 21 October 2016 at 10:55, James Lay <jlay@xxxxxxxxxxxxxxxxxxx> wrote: >>> >>> On 2016-10-20 20:15, Leandro Barragan wrote: >>>> >>>> >>>> Thanks for your time Alex! I modified my original config based on Amos >>>> recommendations, so I think now I have a more consistent peek & splice >>>> config: >>>> >>>> acl TF ssl::server_name_regex -i facebook fbcdn twitter reddit >>>> ssl_bump peek all >>>> ssl_bump terminate TF >>>> ssl_bump splice all >>>> >>>> As you mentioned, terminate closes the connection, it doesn't serve an >>>> error page (when it works, i.e. with reddit and twitter). >>>> >>>> I've compiled Squid 3.5.22 using OpenSSL 1.0.2j and I'm having the >>>> same exact issue, even with this new config. Based on what you >>>> explained, I think it's a OpenSSL problem and Squid can't do anything >>>> about it. I have two reasons to believe that: >>>> >>>> 1) The "unknown cipher returned" error get's triggered on terminated >>>> and non terminated (e.g. microsoft.com) sites, which makes me think it >>>> has nothing to do with Squid ACLs. >>>> 2) All problematic sites use a new cipher called "ChaCha20" (E.g. >>>> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256....according to Qualys >>>> online analyzer and TestSSLServer tool) >>>> >>>> A lot of sites are using this new cipher. I'm back at the beginning, I >>>> will continue trying to compile Squid with patched versions of OpenSSL >>>> or LibreSSL. >>>> >>>> Thanks! >>>> >>>> On 20 October 2016 at 01:01, Alex Rousskov >>>> <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: >>>>> >>>>> >>>>> On 10/19/2016 12:44 AM, Leandro Barragan wrote: >>>>> >>>>>>> error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher >>>>>>> returned (1/-1/0) >>>>> >>>>> >>>>> >>>>>> I fail to see why is this happening. I only need to peek on the >>>>>> connection and make a decision based on SNI, >>>>> >>>>> >>>>> >>>>> Please note that "peek and make a decision based on SNI" is not what >>>>> your configuration tells Squid to do. Your configuration tells Squid to >>>>> peek during step2, which means making a decision based on server >>>>> certificates (and SNI). >>>>> >>>>> >>>>>> I'm not Bumping, so I >>>>>> don't understand why ciphers matter in my situation. >>>>> >>>>> >>>>> >>>>> The ciphers matter because Squid v3 uses OpenSSL parsers during step1, >>>>> step2, and step3. FWIW, Squid v4 uses OpenSSL parsers during step2 (a >>>>> little) and step3. It is possible to completely remove OpenSSL from >>>>> step2 but there is currently no project to do that AFAIK. >>>>> >>>>> >>>>>>> ssl_bump peek all step1 >>>>>>> ssl_bump peek all step2 >>>>>>> ssl_bump terminate face step3 >>>>>>> ssl_bump terminate twitter step3 >>>>>>> ssl_bump splice all step3 >>>>> >>>>> >>>>> >>>>> BTW, "step1", "step2", and "step3" ACLs do nothing useful in the above >>>>> config. You can safely remove them to arrive at the equivalent ssl_bump >>>>> configuration. >>>>> >>>>> >>>>> On 10/19/2016 07:42 AM, Amos Jeffries wrote: >>>>>> >>>>>> >>>>>> Terminate means impersonating the server and responding to the client >>>>>> with an HTTPS error page. >>>>> >>>>> >>>>> >>>>> Terminate means "close client and server connections immediately". The >>>>> problem is not with the terminate action but with peeking (which relies >>>>> on OpenSSL, especially during step2, especially in Squid v3). >>>>> >>>>> >>>>> HTH, >>>>> >>>>> Alex. >>> >>> >>> >>> FWIW I've had great success with the git version of libressl and using >>> the >>> below: >>> >>> ./configure --prefix=/opt/libressl >>> >>> and for squid: >>> >>> ./configure --prefix=/opt --with-openssl=/opt/libressl --enable-ssl >>> --enable-ssl-crtd >>> >>> James > > > I'm currently using squid-3.5.22 and using the below git for libressl: > > commit b7ba692f72f232602efb3e720ab0510406bae69c > Author: Brent Cook <bcook@xxxxxxxxxxx> > Date: Wed Sep 14 23:40:10 2016 -0500 > > What's the error you're getting when you try and compile? > > > James > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
