Hey Dixit, To get a response you would need to respond in the Bugzilla. Maybe Alex might be able to answer some of your questions about the subject. All The Bests, Eliezer From: DIXIT Ankit <Ankit.Dixit@xxxxxxxxxxxx> Elizer,
* Short-term: Essentially disable OpenSSL built-in certificate validation (for certificates with missing intermediate CAs) and perform that validation from Squid, using X509_verify_cert(), after SSL_connect() returns control to Squid and Squid fetches the missing CAs. This approach still requires some non-trivial Squid development and keeping an eye on OpenSSL built-in validation logic, but it can be completed without OpenSSL modifications and, IMHO, without replicating a lot of OpenSSL internal validation logic. * Long-term: We need a new OpenSSL callback for pausing OpenSSL processing after TLS v1.3 server handshake is decrypted and before certificate validation starts.
sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) From: Eliezer Croitor <ngtech1ltd@xxxxxxxxx>
Hey Dixit, Have you seen the next bug report: https://bugs.squid-cache.org/show_bug.cgi?id=5067#c4 Alex/Amos: I assume that this specific issue deserve a DEBUG which will describe and relate to this BUG:5067 report. Eliezer From: DIXIT Ankit <Ankit.Dixit@xxxxxxxxxxxx> Elizer/Team, Any help would be appreciated. Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) From: DIXIT Ankit Subject changed Elizer/Team, Connecting with you again after we upgraded to Squid version 4. We have blacklisted the domain categories on Squid Proxy, but we are getting below exception in cache.log and due to this internet is not flowing from client servers via squid. This blacklist category is having thousands of blacklisted domains. kid1| Error negotiating SSL on FD 33: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0) kid1| Error negotiating SSL connection on FD 26: (104) Connection reset by peer Is there any specific ssl certificate, we need to configure? Or any other issue, you see here? Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) From: DIXIT Ankit Elizer, SSL was failing for few applications but was working fine for other applications. So we reverted back to old version. I am not sure what ssl certificate dependency was there. Would be great, if you can suggest memory leak solutions in 3.12 version. Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) From: Eliezer Croitor <ngtech1ltd@xxxxxxxxx>
Hey, What happen with this issue? I am waiting for any input about this issue to understand with what I can try to help. Eliezer From: DIXIT Ankit [mailto:Ankit.Dixit@xxxxxxxxxxxx] For your information, we have added below configurations but again same issue. tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) From: DIXIT Ankit Eliezer, Clients are facing some SSL related issues after upgrade. I could see below error. Please suggest, its little urgent. quid[6706]: Error negotiating SSL connection on FD 167: error:00000001:lib(0):func(0):reason(1) (1/0) Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) From: Eliezer Croitoru <ngtech1ltd@xxxxxxxxx>
The first thing to do is look at: https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery It should clear couple doubts for you. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx From: DIXIT Ankit Elizer, We installed Squid 4.12 on production server, amazon Linux 2, successfully but I could see below messages in the logs for SECURITY ALERT: Host header forgery detected. These are getting generated very frequently. Can we ignore this Or is it advised to suppress these alerts? kid2| SECURITY ALERT: on URL: 5-25-3-app.agent.datadoghq.com:443 2020/06/30 07:41:29 kid1| SECURITY ALERT: Host header forgery detected on local=IP remote=IP FD 97 flags=33 (local IP does not match any domain IP) Regards, Ankit Dixit|IS Cloud Team Eurostar International Ltd Times House | Bravingtons Walk | London N1 9AW Office: +44 (0)207 84 35550 (Extension– 35530) This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL. This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL. This email (including any attachments) is intended only for the addressee(s), is confidential and may be legally privileged. If you are not the intended recipient, do not use, disclose, copy, or forward this email. Please notify the sender immediately and then delete it. Eurostar International Limited and its affiliates ("EIL") do not accept any liability for action taken in reliance on this email. EIL makes no representation that this email is free of viruses and addressees should check this email for viruses. The comments or statements expressed in this email are not necessarily those of EIL. |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
