Hello,
After sending the previous (quoted below) email, I came across another
recent thread [1] where it is mentioned by Alex that:
> If SslBump configuration peeks at the server, then Squid cannot honor
tls_outgoing_options.
So here is ssl_bump options too, in case that information is required:
ssl_bump peek ssl_step1 # step1 - so not peeking at the server yet
ssl_bump splice nosslbump_domains # step2 or 3, tunnel some domains we
do not want to bump
ssl_bump stare all # step2 stare (not peek) at the server
ssl_bump bump all # step3, bump all connections that reached here
So I think in my case (previous email), squid should honor
tls_outgoing_options.
Regards,
[1]
http://lists.squid-cache.org/pipermail/squid-users/2022-December/025507.html
Amish
On 26/12/22 11:16, Amish wrote:
Hello
I am using squid v5.7 with OpenSSL 3.0.7. (Arch Linux)
I have setup SSL bump which was working fine till OpenSSL 1.1.1 series.
With OpenSSL 3.0.7, SSL bump still works fine but except some
(unpatched) sites.
For example:
https://www.jio.com/ (A leading mobile network provider in India)
For above site, squid throws error page with this message:
[No Error] (TLS code:
SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=A000152+TLS_IO_ERR=1)
Failed to establish a secure connection: error:0A000152:SSL
routines::unsafe legacy renegotiation disabled
Testing the same site with OpenSSL (via s_client) also fails unless
legacy renegotiation is enabled:
$ openssl s_client -connect www.jio.com:443
40C7F204E37F0000:error:0A000152:SSL routines:final_renegotiate:unsafe
legacy renegotiation disabled:ssl/statem/extensions.c:893:
$ openssl s_client -legacy_renegotiation -connect www.jio.com:443
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.",
CN = Go Daddy Root Certificate Authority - G2
...
Since website is one of the important website, I am trying to inform
squid to allow legacy server connect (I also tried with unsafe
renegotiation)
Source: https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
squid.conf:
# workaround for legacy / unpatched servers
tls_outgoing_options
options=LEGACY_SERVER_CONNECT,ALLOW_UNSAFE_LEGACY_RENEGOTIATION
# other related TLS related settings
tls_outgoing_options cafile=/etc/ssl/cert.pem
tls_outgoing_options
cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
# systemctl reload squid
But I am still getting the same error when trying to connect to the
above site via squid proxy. (Works fine without proxy)
What am I doing wrong?
Tips / help appreciated,
Thank you,
Amish.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
