> I am currently squid-cache in hierarchy setup, with TLS enabled throughout.
> client --> child Squid --> parent Squid --> web server
>> Do you use SslBump anywhere?
I am not using
SslBump. Part of my child squid config looks like:
https_port 3128\
accel\
no-vhost\
defaultsite=origin\
cert=/squid/certs/server/cert.pem\
key=/squid/certs/server/key.pem\
cafile=/squid/certs/server/ca.pem\
clientca=/squid/certs/server/ca.pem
cache_peer\
parentsquid.com\
parent\
3128\
0\
no-query\
originserver\
no-digest\
no-netdb-exchange\
login=PASSTHRU\
accel\
no-vhost\
defaultsite=origin\
cert=/squid/certs/server/cert.pem\
key=/squid/certs/server/key.pem\
cafile=/squid/certs/server/ca.pem\
clientca=/squid/certs/server/ca.pem
cache_peer\
parentsquid.com\
parent\
3128\
0\
no-query\
originserver\
no-digest\
no-netdb-exchange\
login=PASSTHRU\
tls\
tls-options=NO_TICKET\
sslcert=/squid/certs/client/cert.pem\
sslkey=/squid/certs/client/key.pem\
tls-cafile=/squid/certs/client/ca.pem
sslcert=/squid/certs/client/cert.pem\
sslkey=/squid/certs/client/key.pem\
tls-cafile=/squid/certs/client/ca.pem
> Openssl version: 1.0.2k
> This setup is working for 3.5.20.
> But when I updated to squid 4(tried 4.8, 4.11 and 4.13),
>> Does all of the above apply to both child and parent Squids? Or just the
>> child?
Following scenarios are working:
client --> child Squid 3.5.20 --> parent Squid 3.5.20 --> web server
client --> child Squid 4 --> parent Squid 3.5.20 --> web server
client --> Squid 4 --> web server
But this scenarios is failing:
client --> child Squid 4 --> parent Squid 4 --> web server
> initial HTTP request goes through, but TLS renegotiation is failing
> between child and parent squid for the following requests.
>
> From the logs, it looks like child squid is trying to initialize TLS
> renegotiating using old TLS session ID, but parent squid is rejecting
> session resumption.
>
> I confirm this behavior using openssl s_client --reconnect option.
>
> I tried to disabled client initialed TLS renegotiating by setting
> tls-options=NO_TICKET (on child squid), but it is affecting the behavior.
>> Did you mean to say "_not_ affecting the behavior"?
Sorry for typo. Yes, with NO_TICKET set, I am encountering same issue.
> Are there any changes in default TLS renegotiation behavior between
> squid 3.5 and 4.x?
It is difficult for me to say for sure -- too many changes in the
surrounding code, too long ago. "Maybe" is the best answer I can give.
Hopefully, others can be more specific.
> Is there a way to disable the client (child squid) initialized TLS
> renegotiation in squid 4?
>> OpenSSL v1.1 docs have the following paragraph:
> By default OpenSSL will use stateless tickets. The SSL_OP_NO_TICKET
> option will cause stateless tickets to not be issued. In TLSv1.2 and
> below this means no ticket gets sent to the client at all. In TLSv1.3
> a stateful ticket will be sent. This is a server-side option only.
>> The last sentence is interesting. However, OpenSSL v1.0 documentation
>> does not have that last caveat. It has another somewhat vague or open to
>> interpretation statement. Perhaps OpenSSL behavior changed with v1.1. In
>> that case, ignore this caveat.
>> You can try options discussed in the SECURE RENEGOTIATION section of
>> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html
>> but it is not clear to me whether they apply to your environment.
I tried
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION,
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, etc in
openssl option.
but it did not changed the behaviour.
Unfortunately, I can't update to OpenSSL v1.1 because of OS dependency issues.
Manoj
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
