Hi Alex,
Thank you for putting so much efforts in reply.
Unfortunately, something is still wrong somewhere, as below.
On 26/12/22 21:31, Alex Rousskov wrote:
On 12/26/22 00:46, Amish wrote:
I am using squid v5.7 with OpenSSL 3.0.7. (Arch Linux)
squid.conf:
# workaround for legacy / unpatched servers
tls_outgoing_options
options=LEGACY_SERVER_CONNECT,ALLOW_UNSAFE_LEGACY_RENEGOTIATION
There are two problems here:
1. Squid v5.7 hides important configuration errors. That problem was
fixed in master/v6 commit 61be1d8, but that fix has not been
backported to v5. If it were, you would have seen errors like this:
ERROR: Unknown TLS option LEGACY_SERVER_CONNECT
ERROR: Unknown TLS option ALLOW_UNSAFE_LEGACY_RENEGOTIATION
You can still see those level-1 errors on stderr if you start Squid
v5.7 with "-X", but they will be drowned in a sea of debugging
records. Save stderr output into a file and search it for ERROR.
I recommend lobbying for making the above configuration errors fatal
in Squid v6. I would be happy to post the corresponding code changes
if others agree that they should be fatal.
Yes indeed, the ERROR does appear on stderr with -X.
It should definitely be fatal as otherwise someone may lose proper
security, with wrong OR incomplete OR unimplemented settings thinking
that, squid did not give error so its working fine.
2. As the above errors imply, you are using options that Squid does
not understand. Squid cannot pass named options that it does not
understand to OpenSSL because Squid does not know their numerical
values (OpenSSL API requires a numeric value to enable an option).
However, you can use a dangerous workaround: You can specify their raw
numeric values (in hex). You may use the table at [1] to get those
values[2]:
tls_outgoing_options options=0x4,0x40000
Disclaimer: I have not tested whether the above configuration matches
your intent. I only know that Squid v5 does not generate an ERROR for it.
With numeric hex values, I do not see the ERROR on stderr.
But it still does not seem to be working as expected. Squid still does
not open the page and gives same legacy negotiation error.
How do I know that SSL_CTX_set_options() is working with above options?
There appears to be nothing in cache.log.
$ grep debug_options squid.conf
debug_options 83,6
$ tail -f /var/log/squid/cache.log |grep -i 'ssl\|tls'
2022/12/27 20:39:04.939 kid1| 83,3| client_side_request.cc(1557)
sslBumpNeed: sslBump required: peek
2022/12/27 20:39:05.920 kid1| 83,5|
../../src/security/PeerOptions.h(111) convertContextFromRawPtr: SSL_CTX
construct, this=0x557039611e60
2022/12/27 20:39:05.920 kid1| 83,5| Session.cc(103) NewSessionObject:
SSL_new session=0x55703adcfd70
2022/12/27 20:39:05.920 kid1| 83,5| Session.cc(161) CreateSession: link
FD 12 to TLS session=0x55703adcfd70
2022/12/27 20:39:05.920 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS
connection 0x55703adcfd70 over conn23909 local=127.0.0.1:8080
remote=127.0.0.1:48458 FD 12 flags=1
2022/12/27 20:39:05.927 kid1| 83,5| Session.cc(103) NewSessionObject:
SSL_new session=0x557039a59050
2022/12/27 20:39:05.927 kid1| 83,5| Session.cc(161) CreateSession: link
FD 16 to TLS session=0x557039a59050
2022/12/27 20:39:05.928 kid1| 83,5| Io.cc(91) Handshake: -1/11 for TLS
connection 0x557039a59050 over conn23913 local=[2001:db8::2]:60020
remote=[2405:200:1601:c0e1:49:40:8:183]:443 HIER_DIRECT FD 16 flags=1
2022/12/27 20:39:06.062 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS
connection 0x557039a59050 over conn23913 local=[2001:db8::2]:60020
remote=[2405:200:1601:c0e1:49:40:8:183]:443 HIER_DIRECT FD 16 flags=1
2022/12/27 20:39:06.062 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS
connection 0x557039a59050 over conn23913 local=[2001:db8::2]:60020
remote=[2405:200:1601:c0e1:49:40:8:183]:443 HIER_DIRECT FD 16 flags=1
2022/12/27 20:39:06.063 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS
connection 0x557039a59050 over conn23913 local=[2001:db8::2]:60020
remote=[2405:200:1601:c0e1:49:40:8:183]:443 HIER_DIRECT FD 16 flags=1
2022/12/27 20:39:06.063 kid1| 83,2| PeerConnector.cc(256)
handleNegotiationResult: ERROR: failure while establishing TLS
connection on FD: 160x55703a2d9e40*1
2022/12/27 20:39:06.063 kid1| 83,5| NegotiationHistory.cc(85)
retrieveNegotiatedInfo: SSL connection info on FD 16 SSL version
NONE/0.0 negotiated cipher
2022/12/27 20:39:06.063 kid1| 83,5| PeerConnector.cc(540) callBack: TLS
setup ended for
2022/12/27 20:39:06.069 kid1| 83,5| Session.cc(103) NewSessionObject:
SSL_new session=0x557039779b10
2022/12/27 20:39:06.069 kid1| 83,5| Session.cc(161) CreateSession: link
FD 16 to TLS session=0x557039779b10
2022/12/27 20:39:06.070 kid1| 83,5| Io.cc(91) Handshake: -1/11 for TLS
connection 0x557039779b10 over conn23916 local=192.168.0.2:54084
remote=49.40.8.180:443 HIER_DIRECT FD 16 flags=1
2022/12/27 20:39:06.191 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS
connection 0x557039779b10 over conn23916 local=192.168.0.2:54084
remote=49.40.8.180:443 HIER_DIRECT FD 16 flags=1
2022/12/27 20:39:06.192 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS
connection 0x557039779b10 over conn23916 local=192.168.0.2:54084
remote=49.40.8.180:443 HIER_DIRECT FD 16 flags=1
2022/12/27 20:39:06.193 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS
connection 0x557039779b10 over conn23916 local=192.168.0.2:54084
remote=49.40.8.180:443 HIER_DIRECT FD 16 flags=1
2022/12/27 20:39:06.193 kid1| 83,2| PeerConnector.cc(256)
handleNegotiationResult: ERROR: failure while establishing TLS
connection on FD: 160x55703a2d9e40*1
2022/12/27 20:39:06.193 kid1| 83,5| NegotiationHistory.cc(85)
retrieveNegotiatedInfo: SSL connection info on FD 16 SSL version
NONE/0.0 negotiated cipher
2022/12/27 20:39:06.193 kid1| 83,5| PeerConnector.cc(540) callBack: TLS
setup ended for
2022/12/27 20:39:06.193 kid1| 83,5| Session.cc(100) operator(): SSL_free
session=0x557039779b10
2022/12/27 20:39:06.236 kid1| 83,5| Io.cc(91) Handshake: -1/11 for TLS
connection 0x55703adcfd70 over conn23909 local=127.0.0.1:8080
remote=127.0.0.1:48458 FD 12 flags=1
2022/12/27 20:39:06.247 kid1| 83,5| Io.cc(91) Handshake: -1/11 for TLS
connection 0x55703adcfd70 over conn23909 local=127.0.0.1:8080
remote=127.0.0.1:48458 FD 12 flags=1
2022/12/27 20:39:06.254 kid1| 83,5| Session.cc(292) store_session_cb:
Request to store SSL_SESSION
2022/12/27 20:39:06.254 kid1| 83,5| Session.cc(314) store_session_cb:
wrote an SSL_SESSION entry of size 129 at pos 129
2022/12/27 20:39:06.254 kid1| 83,5| Session.cc(292) store_session_cb:
Request to store SSL_SESSION
2022/12/27 20:39:06.254 kid1| 83,5| Session.cc(314) store_session_cb:
wrote an SSL_SESSION entry of size 128 at pos 80
2022/12/27 20:39:06.255 kid1| 83,5| Io.cc(91) Handshake: 1/0 for TLS
connection 0x55703adcfd70 over conn23909 local=127.0.0.1:8080
remote=127.0.0.1:48458 FD 12 flags=1
-----BEGIN SSL SESSION PARAMETERS-----
-----END SSL SESSION PARAMETERS-----
2022/12/27 20:39:06.255 kid1| 83,2| client_side.cc(2460)
clientNegotiateSSL: New session 0x55703abd32f0 on FD 12 (127.0.0.1:48458)
2022/12/27 20:39:06.255 kid1| 83,5| NegotiationHistory.cc(85)
retrieveNegotiatedInfo: SSL connection info on FD 12 SSL version TLS/1.3
negotiated cipher TLS_AES_256_GCM_SHA384
2022/12/27 20:39:06.255 kid1| 83,5| client_side.cc(2483)
clientNegotiateSSL: FD 12 has no client certificate.
2022/12/27 20:39:06.255 kid1| 83,3| Session.cc(36) tls_read_method:
started for session=0x55703adcfd70
2022/12/27 20:39:06.256 kid1| 83,3| Session.cc(73) tls_write_method:
started for session=0x55703adcfd70
2022/12/27 20:39:06.256 kid1| 83,3| Session.cc(73) tls_write_method:
started for session=0x55703adcfd70
2022/12/27 20:39:06.257 kid1| 83,5| Session.cc(100) operator(): SSL_free
session=0x557039a59050
2022/12/27 20:39:06.257 kid1| 83,5| Session.cc(100) operator(): SSL_free
session=0x55703adcfd70
2022/12/27 20:39:06.257 kid1| 83,5|
../../src/security/PeerOptions.h(113) operator(): SSL_CTX destruct,
this=0x557039611e60
Any idea on how do I know if SSL_CTX_set_options() is working with
legacy negotiations enabled?
[1] https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags
Above link should be placed in tls_outgoing_options documentation at
http://www.squid-cache.org/Doc/config/tls_outgoing_options/
Additionally a NOTE should be placed stating that it supports HEX values.
Current documentation gives an impression that I can use all the named
options supported by OpenSSL. But in reality only selected named options
are supported.
[2] The table provides numerical values for OpenSSL v1 options. For
OpenSSL v3, the table provides a SSL_OP_BIT(n) formula: 2 to the power
of n. For example, SSL_OP_BIT(2) is, in hex notation, 0x4.
#define SSL_OP_BIT(n) ((uint64_t)1 << (uint64_t)n)
HTH,
Alex.
# other related TLS related settings
tls_outgoing_options cafile=/etc/ssl/cert.pem
tls_outgoing_options
cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
# systemctl reload squid
But I am still getting the same error when trying to connect to the
above site via squid proxy. (Works fine without proxy)
What am I doing wrong?
Tips / help appreciated,
Thank you,
Amish.
Thank you
Amish.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users