Search squid archive

Re: LEGACY_SERVER_CONNECT, ALLOW_UNSAFE_LEGACY_RENEGOTIATION does not work - SSL bump, OpenSSL 3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

After sending the previous (quoted below) email, I came across another recent thread [1] where it is mentioned by Alex that:

> If SslBump configuration peeks at the server, then Squid cannot honor tls_outgoing_options.

So here is ssl_bump options too, in case that information is required:

ssl_bump peek ssl_step1 # step1 - so not peeking at the server yet
ssl_bump splice nosslbump_domains # step2 or 3, tunnel some domains we do not want to bump
ssl_bump stare all # step2 stare (not peek) at the server
ssl_bump bump all # step3, bump all connections that reached here

So I think in my case (previous email), squid should honor tls_outgoing_options.

Regards,

[1] http://lists.squid-cache.org/pipermail/squid-users/2022-December/025507.html

Amish

On 26/12/22 11:16, Amish wrote:
Hello

I am using squid v5.7 with OpenSSL 3.0.7. (Arch Linux)

I have setup SSL bump which was working fine till OpenSSL 1.1.1 series.

With OpenSSL 3.0.7, SSL bump still works fine but except some (unpatched) sites.

For example:
https://www.jio.com/ (A leading mobile network provider in India)

For above site, squid throws error page with this message:

    [No Error] (TLS code: SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=A000152+TLS_IO_ERR=1)     Failed to establish a secure connection: error:0A000152:SSL routines::unsafe legacy renegotiation disabled


Testing the same site with OpenSSL (via s_client) also fails unless legacy renegotiation is enabled:

$ openssl s_client -connect www.jio.com:443
40C7F204E37F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:893:

$ openssl s_client  -legacy_renegotiation -connect www.jio.com:443
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
...


Since website is one of the important website, I am trying to inform squid to allow legacy server connect (I also tried with unsafe renegotiation)

Source: https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html

squid.conf:

# workaround for legacy / unpatched servers
tls_outgoing_options options=LEGACY_SERVER_CONNECT,ALLOW_UNSAFE_LEGACY_RENEGOTIATION

# other related TLS related settings
tls_outgoing_options cafile=/etc/ssl/cert.pem

tls_outgoing_options cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

# systemctl reload squid

But I am still getting the same error when trying to connect to the above site via squid proxy. (Works fine without proxy)

What am I doing wrong?

Tips / help appreciated,

Thank you,

Amish.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux