On 19/01/21 6:04 am, Eliezer Croitoru wrote:
I wrote the next "helping/helper/testing scripts": https://github.com/elico/tls-check-script/blob/master/tls-check.rb https://github.com/elico/tls-check-script/blob/master/check-dns-san.sh Now I am trying to verify what issues exists that causes squid to this result: 2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46: error:00000001:lib(0):func(0):reason(1) (1/-1) connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ flags=33 So the output of: bash check-dns-san.sh 161.117.96.220 443 is: ## START Can't use SSL_get_servername depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018 verify return:1 depth=0 CN = data.mistat.intl.xiaomi.com verify return:1 DONE X509v3 Subject Alternative Name: DNS:data.mistat.intl.xiaomi.com ## END And then I am testing with the next command: ruby tls-check.rb 161.117.96.220 443 and the output is: ## START ### Number of Ciphers to be tested: 66 ### Timeout per test: 3 ### Delay between tests: 1 Testing TLS_AES_256_GCM_SHA384... NO, SSL_CTX_set_cipher_list Testing TLS_CHACHA20_POLY1305_SHA256... NO, SSL_CTX_set_cipher_list Testing TLS_AES_128_GCM_SHA256... NO, SSL_CTX_set_cipher_list Testing TLS_AES_128_CCM_SHA256... NO, SSL_CTX_set_cipher_list Testing ECDHE-ECDSA-AES256-GCM-SHA384... NO, sslv3 alert handshake failure Testing ECDHE-RSA-AES256-GCM-SHA384... CONNECTED: ECDHE-RSA-AES256-GCM-SHA384, YES, Secure Renegotiation IS supported Testing DHE-RSA-AES256-GCM-SHA384... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-CHACHA20-POLY1305... NO, sslv3 alert handshake failure Testing ECDHE-RSA-CHACHA20-POLY1305... NO, sslv3 alert handshake failure Testing DHE-RSA-CHACHA20-POLY1305... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES256-CCM8... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES256-CCM... NO, sslv3 alert handshake failure Testing DHE-RSA-AES256-CCM8... NO, sslv3 alert handshake failure Testing DHE-RSA-AES256-CCM... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-ARIA256-GCM-SHA384... NO, sslv3 alert handshake failure Testing ECDHE-ARIA256-GCM-SHA384... NO, sslv3 alert handshake failure Testing DHE-RSA-ARIA256-GCM-SHA384... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES128-GCM-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-RSA-AES128-GCM-SHA256... CONNECTED: ECDHE-RSA-AES128-GCM-SHA256, YES, Secure Renegotiation IS supported Testing DHE-RSA-AES128-GCM-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES128-CCM8... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES128-CCM... NO, sslv3 alert handshake failure Testing DHE-RSA-AES128-CCM8... NO, sslv3 alert handshake failure Testing DHE-RSA-AES128-CCM... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-ARIA128-GCM-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ARIA128-GCM-SHA256... NO, sslv3 alert handshake failure Testing DHE-RSA-ARIA128-GCM-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES256-SHA384... NO, sslv3 alert handshake failure Testing ECDHE-RSA-AES256-SHA384... CONNECTED: ECDHE-RSA-AES256-SHA384, YES, Secure Renegotiation IS supported Testing DHE-RSA-AES256-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-CAMELLIA256-SHA384... NO, sslv3 alert handshake failure Testing ECDHE-RSA-CAMELLIA256-SHA384... NO, sslv3 alert handshake failure Testing DHE-RSA-CAMELLIA256-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES128-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-RSA-AES128-SHA256... CONNECTED: ECDHE-RSA-AES128-SHA256, YES, Secure Renegotiation IS supported Testing DHE-RSA-AES128-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-CAMELLIA128-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-RSA-CAMELLIA128-SHA256... NO, sslv3 alert handshake failure Testing DHE-RSA-CAMELLIA128-SHA256... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES256-SHA... NO, sslv3 alert handshake failure Testing ECDHE-RSA-AES256-SHA... CONNECTED: ECDHE-RSA-AES256-SHA, YES, Secure Renegotiation IS supported Testing DHE-RSA-AES256-SHA... NO, sslv3 alert handshake failure Testing DHE-RSA-CAMELLIA256-SHA... NO, sslv3 alert handshake failure Testing ECDHE-ECDSA-AES128-SHA... NO, sslv3 alert handshake failure Testing ECDHE-RSA-AES128-SHA... CONNECTED: ECDHE-RSA-AES128-SHA, YES, Secure Renegotiation IS supported Testing DHE-RSA-AES128-SHA... NO, sslv3 alert handshake failure Testing DHE-RSA-CAMELLIA128-SHA... NO, sslv3 alert handshake failure Testing AES256-GCM-SHA384... CONNECTED: AES256-GCM-SHA384, YES, Secure Renegotiation IS supported Testing AES256-CCM8... NO, sslv3 alert handshake failure Testing AES256-CCM... NO, sslv3 alert handshake failure Testing ARIA256-GCM-SHA384... NO, sslv3 alert handshake failure Testing AES128-GCM-SHA256... CONNECTED: AES128-GCM-SHA256, YES, Secure Renegotiation IS supported Testing AES128-CCM8... NO, sslv3 alert handshake failure Testing AES128-CCM... NO, sslv3 alert handshake failure Testing ARIA128-GCM-SHA256... NO, sslv3 alert handshake failure Testing AES256-SHA256... CONNECTED: AES256-SHA256, YES, Secure Renegotiation IS supported Testing CAMELLIA256-SHA256... NO, sslv3 alert handshake failure Testing AES128-SHA256... CONNECTED: AES128-SHA256, YES, Secure Renegotiation IS supported Testing CAMELLIA128-SHA256... NO, sslv3 alert handshake failure Testing AES256-SHA... CONNECTED: AES256-SHA, YES, Secure Renegotiation IS supported Testing CAMELLIA256-SHA... NO, sslv3 alert handshake failure Testing AES128-SHA... CONNECTED: AES128-SHA, YES, Secure Renegotiation IS supported Testing CAMELLIA128-SHA... NO, sslv3 alert handshake failure Testing DHE-RSA-SEED-SHA... NO, sslv3 alert handshake failure Testing SEED-SHA... NO, sslv3 alert handshake failure Testing IDEA-CBC-SHA... NO, ssl_cipher_process_rulestr ## END I assume that the above results might give a clue why mentioned error line: 2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46: error:00000001:lib(0):func(0):reason(1) (1/-1) connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ flags=33
Take the output above and grep "CONNECTED: ". If the client or Squid do not support those combinations, the above error will result when connecting to that server.
> Testing ECDHE-RSA-AES256-GCM-SHA384... CONNECTED: > ECDHE-RSA-AES256-GCM-SHA384, YES, Secure Renegotiation IS supported > Testing ECDHE-RSA-AES128-GCM-SHA256...CONNECTED: > ECDHE-RSA-AES128-GCM-SHA256, YES, Secure Renegotiation IS supported > Testing ECDHE-RSA-AES256-SHA384...CONNECTED: ECDHE-RSA-AES256-SHA384, > Testing ECDHE-RSA-AES128-SHA256...CONNECTED: ECDHE-RSA-AES128-SHA256, > Testing ECDHE-RSA-AES256-SHA... CONNECTED: ECDHE-RSA-AES256-SHA, YES, > Testing AES256-GCM-SHA384... CONNECTED: AES256-GCM-SHA384, YES, > Testing AES128-GCM-SHA256... CONNECTED: AES128-GCM-SHA256, YES, > Testing AES256-SHA256... CONNECTED: AES256-SHA256, YES, Secure > Testing AES128-SHA256... CONNECTED: AES128-SHA256, YES, Secure > Testing AES256-SHA... CONNECTED: AES256-SHA, YES, Secure > Testing AES128-SHA... CONNECTED: AES128-SHA, YES, Secure > ## END
happens. However I am not sure. Are there any config that might affect this negotiation in squid?
When either SHA or AES are not possible for Squid to use it will happen. Depending on whether your Squid is doing bumping or not will will determine whether it is possible to affect with a configuration change or if the issue is the client software.
Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
