On 13/02/18 02:29, chiasa.men wrote: > Hi I tried squid4. > > Squid Cache: Version 4.0.23 > This binary uses OpenSSL 1.1.1-dev xx XXX xxxx > > Before, I used: > Squid Cache: Version 3.5.27 > This binary uses OpenSSL 1.0.2g 1 Mar 2016 > > Some of the config directives changed: > E.g. > sslproxy_options SINGLE_DH_USE,SINGLE_ECDH_USE > -> > tls_tls_outgoing_options options=SINGLE_DH_USE,SINGLE_ECDH_USE > > But that results in version 4 in the follwing errors (cache.log) > ERROR: Unknown TLS option SINGLE_DH_USE > ERROR: Unknown TLS option SINGLE_ECDH_USE > > (same error with the same options in https_proxy) > > Is that a problem related to the openssl version change? Yes. Due to CVE-2016-0701 the SSL_OP_SINGLE_DH_USE option was deprecated in OpenSSL 1.0.2f and that option enabled by default. That means it *should* be available in all Squid using those libraries. ... but your 1.1.1-dev library appears to have had it removed entirely. It is not listed as removed officially (<https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags#SSL_OP_SINGLE_DH_USE>) so may be related to some build option used to create the library. > > > In cache_peer I also have now to configure tls-cafile=/etc/ssl/certs/ca- > certificates.crt explicitly (I used some self signed certificates for testing - > but in Squid3 I didn't need to configure that) > Otherwise I get: > (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) > In the reference it's stated that: > tls-default-ca[=off] > Whether to use the system Trusted CAs. Default is ON. > Shouldn't the tls-cafile option be unnecessary since it's trusted by default? > Yes, unless the CA is not in the system default CAs for some reason. Some well-known companies are not trusted because of bad behaviour getting them kicked out of the globally trusted CA registry. It might also be related to other things in your library build. Hard to say what exactly is going wrong without looking into that particular cert chain which is hitting the error. > > > Furthermore I set Apache (the peer) to "SSLCipherSuite ECDHE-ECDSA-AES256- > GCM-SHA384" > as well as cache_peer sslcipher=ECDHE-ECDSA-AES256-GCM-SHA384 > > ERROR: negotiating TLS on FD 20: error:141A90B5:SSL > routines:ssl_cipher_list_to_bytes:no ciphers available (1/-1/0) > > How can that be? > Not sure. Is the handshake actually trying to negotiate that cipher correctly? or is one endpoint deciding it cannot support it? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
