Hi Alex,
Thanks for confirming this, it saved me lot of time :)
The reason why I wanted to try build squid5 with BoringSSL is -
1) Current squid build with OpenSSL is not showing transactional ciphers while browsing via chrome eg: (TLS_GREASE_DA), (TLS_GREASE_IS_THE_WORD_BA) --> is there any way to add these?
2) I am unable to supress Named group 'secp521r1' while going via this squid build on chrome browser. --> Is there any way to supress this?
I am using - https://browserleaks.com/ssl and https://www.howsmyssl.com to check above parameters.
I am using below configs with OpenSSL and it works fine except for above mentioned issues.
acl manager proto cache_object
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8443 # multiling http
acl CONNECT method CONNECT
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl blocked_sites ssl::server_name .apple.com
acl amazon_deny dstdomain "/opt/squid/squid5/etc/blockdomains"
http_access allow localnet
http_access allow localhost
http_access deny blocked_sites
http_access deny amazon_deny
http_access allow all
http_port 443 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/opt/squid/squid5/etc/certs/ProxyBump.crt tls-key=/opt/squid/squid5/etc/certs/ProxyBump.key tls-dh=prime256v1:/opt/squid/squid5/etc/certs/ProxyBump.pem
sslcrtd_program /opt/squid/squid5/libexec/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
sslproxy_cert_error allow all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
ssl_bump splice all
tls_outgoing_options cipher=HIGH:!MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
cache_mem 1024 MB
cache deny all
cache_dir aufs /opt/squid/squid5/var/cache/squid 1024 16 256
shutdown_lifetime 2 seconds
coredump_dir /opt/squid/squid5/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_peer 10.12.11.2 parent 8080 0 no-query default login=abc:abc@123
never_direct allow all
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8443 # multiling http
acl CONNECT method CONNECT
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl blocked_sites ssl::server_name .apple.com
acl amazon_deny dstdomain "/opt/squid/squid5/etc/blockdomains"
http_access allow localnet
http_access allow localhost
http_access deny blocked_sites
http_access deny amazon_deny
http_access allow all
http_port 443 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/opt/squid/squid5/etc/certs/ProxyBump.crt tls-key=/opt/squid/squid5/etc/certs/ProxyBump.key tls-dh=prime256v1:/opt/squid/squid5/etc/certs/ProxyBump.pem
sslcrtd_program /opt/squid/squid5/libexec/security_file_certgen -s /var/lib/squid/ssl_db -M 512MB
sslproxy_cert_error allow all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
ssl_bump splice all
tls_outgoing_options cipher=HIGH:!MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
cache_mem 1024 MB
cache deny all
cache_dir aufs /opt/squid/squid5/var/cache/squid 1024 16 256
shutdown_lifetime 2 seconds
coredump_dir /opt/squid/squid5/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_peer 10.12.11.2 parent 8080 0 no-query default login=abc:abc@123
never_direct allow all
server_persistent_connections off
logfile_rotate 30
via off
forwarded_for delete
visible_hostname localhost
logfile_rotate 30
via off
forwarded_for delete
visible_hostname localhost
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<A %mt %>h %Se %>sh
logformat extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt %Hs %<st "%{Referer}>h" "%{User-agent}>h"
cache_log /opt/squid/squid5/var/logs/cache.log
acl hasRequest has request
logformat extended %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt %Hs %<st "%{Referer}>h" "%{User-agent}>h"
cache_log /opt/squid/squid5/var/logs/cache.log
acl hasRequest has request
access_log none !hasRequest
access_log stdio:/opt/squid/squid5/var/logs/access.log
access_log stdio:/opt/squid/squid5/var/logs/access.log.mitm extended
pid_filename /opt/squid/squid5/var/run/squid.pid
max_filedescriptors 5000
access_log stdio:/opt/squid/squid5/var/logs/access.log
access_log stdio:/opt/squid/squid5/var/logs/access.log.mitm extended
pid_filename /opt/squid/squid5/var/run/squid.pid
max_filedescriptors 5000
Any help is appreciated. Thanks in advance!
Thanks,
Vinod
On Tue, May 4, 2021 at 2:12 AM Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hello Vinod,
Squid does not support BoringSSL, and we will not add such support
in the foreseeable future. We have more than enough troubles with GnuTLS
support and not enough resources to support a yet another TLS library,
especially the one that is not meant for general use[1]!
[1] https://boringssl.googlesource.com/boringssl/
Although BoringSSL is an open source project, it is not intended for
general use, as OpenSSL is. We don't recommend that third parties depend
upon it. Doing so is likely to be frustrating because there are no
guarantees of API or ABI stability.
HTH,
Alex.
On 5/3/21 4:10 PM, vinod mg wrote:
> Hi Team,
>
> I have followed
> - https://www.interserver.net/tips/kb/openssl-vs-boringssl-boringssl-install-boringssl/
> <https://www.interserver.net/tips/kb/openssl-vs-boringssl-boringssl-install-boringssl/>
> and was able to install in server's /home/src/boringssl
>
> while configuring squid I am using below options -
>
> ./configure '--prefix=/opt/boring/squid5'
> '--with-openssl=/home/src/boringssl' '--enable-ssl-crtd'
> '--with-filedescriptors=3276800' '--enable-storeio=diskd,aufs,ufs'
> '--with-large-files' '--enable-useragent-log'
> '--enable-ltdl-convenience' '--with-tls' '--enable-http-violations'
>
>
> while running 'make' I am getting below error, and I am not able to find
> solution for this.
>
> In file included from ../../src/ssl/support.h:21,
>
> from ../../src/SquidConfig.h:29,
>
> from old_api.cc:24:
>
> ../../src/ssl/gadgets.h:56:25: error: ‘TXT_DB’ was not declared in this
> scope
>
> typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
> TXT_DB_Pointer;
>
> ../../src/ssl/gadgets.h:56:47: error: ‘TXT_DB’ was not declared in this
> scope
>
> typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
> TXT_DB_Pointer;
>
> ../../src/ssl/gadgets.h:56:68: error: template argument 2 is invalid
>
> typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
> TXT_DB_Pointer;
>
> ../../src/ssl/gadgets.h:56:68: error: template argument 3 is invalid
>
> ../../src/ssl/gadgets.h:56:71: error: template argument 1 is invalid
>
> typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
> TXT_DB_Pointer;
>
> ../../src/ssl/gadgets.h:56:71: error: template argument 2 is invalid
>
> ../../src/ssl/gadgets.h:56:1: error: ‘typedef’ was ignored in this
> declaration [-Werror]
>
> typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>>
> TXT_DB_Pointer;
>
> cc1plus: all warnings being treated as errors
>
> make[3]: *** [Makefile:840: old_api.lo] Error 1
>
> make[3]: Leaving directory '/tmp/squid-5.0.5/src/mem'
>
> make[2]: *** [Makefile:6851: all-recursive] Error 1
>
> make[2]: Leaving directory '/tmp/squid-5.0.5/src'
>
> make[1]: *** [Makefile:5840: all] Error 2
>
> make[1]: Leaving directory '/tmp/squid-5.0.5/src'
>
> make: *** [Makefile:593: all-recursive] Error 1
>
>
> My node is running on - CentOS Linux release 8.3.2011
> Squid version - 5.0.4
> Installed Openssl version - OpenSSL 1.1.1g FIPS 21 Apr 2020
>
> Thanks,
> Vinod
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
