On 12/26/22 00:46, Amish wrote:
I am using squid v5.7 with OpenSSL 3.0.7. (Arch Linux)
squid.conf:
# workaround for legacy / unpatched servers
tls_outgoing_options
options=LEGACY_SERVER_CONNECT,ALLOW_UNSAFE_LEGACY_RENEGOTIATION
There are two problems here:
1. Squid v5.7 hides important configuration errors. That problem was
fixed in master/v6 commit 61be1d8, but that fix has not been backported
to v5. If it were, you would have seen errors like this:
ERROR: Unknown TLS option LEGACY_SERVER_CONNECT
ERROR: Unknown TLS option ALLOW_UNSAFE_LEGACY_RENEGOTIATION
You can still see those level-1 errors on stderr if you start Squid v5.7
with "-X", but they will be drowned in a sea of debugging records. Save
stderr output into a file and search it for ERROR.
I recommend lobbying for making the above configuration errors fatal in
Squid v6. I would be happy to post the corresponding code changes if
others agree that they should be fatal.
2. As the above errors imply, you are using options that Squid does not
understand. Squid cannot pass named options that it does not understand
to OpenSSL because Squid does not know their numerical values (OpenSSL
API requires a numeric value to enable an option). However, you can use
a dangerous workaround: You can specify their raw numeric values (in
hex). You may use the table at [1] to get those values[2]:
tls_outgoing_options options=0x4,0x40000
Disclaimer: I have not tested whether the above configuration matches
your intent. I only know that Squid v5 does not generate an ERROR for it.
[1] https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags
[2] The table provides numerical values for OpenSSL v1 options. For
OpenSSL v3, the table provides a SSL_OP_BIT(n) formula: 2 to the power
of n. For example, SSL_OP_BIT(2) is, in hex notation, 0x4.
#define SSL_OP_BIT(n) ((uint64_t)1 << (uint64_t)n)
HTH,
Alex.
# other related TLS related settings
tls_outgoing_options cafile=/etc/ssl/cert.pem
tls_outgoing_options
cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
# systemctl reload squid
But I am still getting the same error when trying to connect to the
above site via squid proxy. (Works fine without proxy)
What am I doing wrong?
Tips / help appreciated,
Thank you,
Amish.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
