Search squid archive

Re: LEGACY_SERVER_CONNECT, ALLOW_UNSAFE_LEGACY_RENEGOTIATION does not work - SSL bump, OpenSSL 3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/27/22 10:42, Amish wrote:
On 26/12/22 21:31, Alex Rousskov wrote:
tls_outgoing_options options=0x4,0x40000

With numeric hex values, I do not see the ERROR on stderr.

But it still does not seem to be working as expected. Squid still does not open the page and gives same legacy negotiation error.

There are still many unknowns (from my point of view), including:

1. Does OpenSSL accept the above options? You ask that question below.
2. Does Squid indeed stare at the server, as expected?
3. Does Squid apply the accepted options when staring at the server?
4. Why does TLS negotiation fail despite those options applied,
   especially since it succeeds with using openssl s_client

Investigating the above (rough) questions may uncover more leads.


How do I know that SSL_CTX_set_options() is working with above options?
There appears to be nothing in cache.log.

Squid does not check the outcome of the SSL_CTX_set_options() call. To be sure, one would need to either use a debugger or add debugging to Squid (quality patches welcome). The call is in Security::PeerOptions::updateContextOptions().


$ tail -f /var/log/squid/cache.log |grep -i 'ssl\|tls'

FWIW, using this log snippet, I cannot quickly answer the other three questions . To make progress, I would either need to see a complete ALL,9 log (with a single problematic transaction[1]) or to reproduce the issue myself. Unfortunately, I currently do not have enough free time for that.

[1] https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction


Sorry,

Alex.


2022/12/27 20:39:04.939 kid1| 83,3| client_side_request.cc(1557) sslBumpNeed: sslBump required: peek 2022/12/27 20:39:05.920 kid1| 83,5| ../../src/security/PeerOptions.h(111) convertContextFromRawPtr: SSL_CTX construct, this=0x557039611e60 2022/12/27 20:39:05.920 kid1| 83,5| Session.cc(103) NewSessionObject: SSL_new session=0x55703adcfd70 2022/12/27 20:39:05.920 kid1| 83,5| Session.cc(161) CreateSession: link FD 12 to TLS session=0x55703adcfd70 2022/12/27 20:39:05.920 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS connection 0x55703adcfd70 over conn23909 local=127.0.0.1:8080 remote=127.0.0.1:48458 FD 12 flags=1 2022/12/27 20:39:05.927 kid1| 83,5| Session.cc(103) NewSessionObject: SSL_new session=0x557039a59050 2022/12/27 20:39:05.927 kid1| 83,5| Session.cc(161) CreateSession: link FD 16 to TLS session=0x557039a59050 2022/12/27 20:39:05.928 kid1| 83,5| Io.cc(91) Handshake: -1/11 for TLS connection 0x557039a59050 over conn23913 local=[2001:db8::2]:60020 remote=[2405:200:1601:c0e1:49:40:8:183]:443 HIER_DIRECT FD 16 flags=1 2022/12/27 20:39:06.062 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS connection 0x557039a59050 over conn23913 local=[2001:db8::2]:60020 remote=[2405:200:1601:c0e1:49:40:8:183]:443 HIER_DIRECT FD 16 flags=1 2022/12/27 20:39:06.062 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS connection 0x557039a59050 over conn23913 local=[2001:db8::2]:60020 remote=[2405:200:1601:c0e1:49:40:8:183]:443 HIER_DIRECT FD 16 flags=1 2022/12/27 20:39:06.063 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS connection 0x557039a59050 over conn23913 local=[2001:db8::2]:60020 remote=[2405:200:1601:c0e1:49:40:8:183]:443 HIER_DIRECT FD 16 flags=1 2022/12/27 20:39:06.063 kid1| 83,2| PeerConnector.cc(256) handleNegotiationResult: ERROR: failure while establishing TLS connection on FD: 160x55703a2d9e40*1 2022/12/27 20:39:06.063 kid1| 83,5| NegotiationHistory.cc(85) retrieveNegotiatedInfo: SSL connection info on FD 16 SSL version NONE/0.0 negotiated cipher 2022/12/27 20:39:06.063 kid1| 83,5| PeerConnector.cc(540) callBack: TLS setup ended for 2022/12/27 20:39:06.069 kid1| 83,5| Session.cc(103) NewSessionObject: SSL_new session=0x557039779b10 2022/12/27 20:39:06.069 kid1| 83,5| Session.cc(161) CreateSession: link FD 16 to TLS session=0x557039779b10 2022/12/27 20:39:06.070 kid1| 83,5| Io.cc(91) Handshake: -1/11 for TLS connection 0x557039779b10 over conn23916 local=192.168.0.2:54084 remote=49.40.8.180:443 HIER_DIRECT FD 16 flags=1 2022/12/27 20:39:06.191 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS connection 0x557039779b10 over conn23916 local=192.168.0.2:54084 remote=49.40.8.180:443 HIER_DIRECT FD 16 flags=1 2022/12/27 20:39:06.192 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS connection 0x557039779b10 over conn23916 local=192.168.0.2:54084 remote=49.40.8.180:443 HIER_DIRECT FD 16 flags=1 2022/12/27 20:39:06.193 kid1| 83,5| Io.cc(91) Handshake: -1/0 for TLS connection 0x557039779b10 over conn23916 local=192.168.0.2:54084 remote=49.40.8.180:443 HIER_DIRECT FD 16 flags=1 2022/12/27 20:39:06.193 kid1| 83,2| PeerConnector.cc(256) handleNegotiationResult: ERROR: failure while establishing TLS connection on FD: 160x55703a2d9e40*1 2022/12/27 20:39:06.193 kid1| 83,5| NegotiationHistory.cc(85) retrieveNegotiatedInfo: SSL connection info on FD 16 SSL version NONE/0.0 negotiated cipher 2022/12/27 20:39:06.193 kid1| 83,5| PeerConnector.cc(540) callBack: TLS setup ended for 2022/12/27 20:39:06.193 kid1| 83,5| Session.cc(100) operator(): SSL_free session=0x557039779b10 2022/12/27 20:39:06.236 kid1| 83,5| Io.cc(91) Handshake: -1/11 for TLS connection 0x55703adcfd70 over conn23909 local=127.0.0.1:8080 remote=127.0.0.1:48458 FD 12 flags=1 2022/12/27 20:39:06.247 kid1| 83,5| Io.cc(91) Handshake: -1/11 for TLS connection 0x55703adcfd70 over conn23909 local=127.0.0.1:8080 remote=127.0.0.1:48458 FD 12 flags=1 2022/12/27 20:39:06.254 kid1| 83,5| Session.cc(292) store_session_cb: Request to store SSL_SESSION 2022/12/27 20:39:06.254 kid1| 83,5| Session.cc(314) store_session_cb: wrote an SSL_SESSION entry of size 129 at pos 129 2022/12/27 20:39:06.254 kid1| 83,5| Session.cc(292) store_session_cb: Request to store SSL_SESSION 2022/12/27 20:39:06.254 kid1| 83,5| Session.cc(314) store_session_cb: wrote an SSL_SESSION entry of size 128 at pos 80 2022/12/27 20:39:06.255 kid1| 83,5| Io.cc(91) Handshake: 1/0 for TLS connection 0x55703adcfd70 over conn23909 local=127.0.0.1:8080 remote=127.0.0.1:48458 FD 12 flags=1
-----BEGIN SSL SESSION PARAMETERS-----
-----END SSL SESSION PARAMETERS-----
2022/12/27 20:39:06.255 kid1| 83,2| client_side.cc(2460) clientNegotiateSSL: New session 0x55703abd32f0 on FD 12 (127.0.0.1:48458) 2022/12/27 20:39:06.255 kid1| 83,5| NegotiationHistory.cc(85) retrieveNegotiatedInfo: SSL connection info on FD 12 SSL version TLS/1.3 negotiated cipher TLS_AES_256_GCM_SHA384 2022/12/27 20:39:06.255 kid1| 83,5| client_side.cc(2483) clientNegotiateSSL: FD 12 has no client certificate. 2022/12/27 20:39:06.255 kid1| 83,3| Session.cc(36) tls_read_method: started for session=0x55703adcfd70 2022/12/27 20:39:06.256 kid1| 83,3| Session.cc(73) tls_write_method: started for session=0x55703adcfd70 2022/12/27 20:39:06.256 kid1| 83,3| Session.cc(73) tls_write_method: started for session=0x55703adcfd70 2022/12/27 20:39:06.257 kid1| 83,5| Session.cc(100) operator(): SSL_free session=0x557039a59050 2022/12/27 20:39:06.257 kid1| 83,5| Session.cc(100) operator(): SSL_free session=0x55703adcfd70 2022/12/27 20:39:06.257 kid1| 83,5| ../../src/security/PeerOptions.h(113) operator(): SSL_CTX destruct, this=0x557039611e60


Any idea on how do I know if SSL_CTX_set_options() is working with legacy negotiations enabled?


[1] https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags


Above link should be placed in tls_outgoing_options documentation at http://www.squid-cache.org/Doc/config/tls_outgoing_options/

Additionally a NOTE should be placed stating that it supports HEX values.

Current documentation gives an impression that I can use all the named options supported by OpenSSL. But in reality only selected named options are supported.


[2] The table provides numerical values for OpenSSL v1 options. For OpenSSL v3, the table provides a SSL_OP_BIT(n) formula: 2 to the power of n. For example, SSL_OP_BIT(2) is, in hex notation, 0x4.
    #define SSL_OP_BIT(n)  ((uint64_t)1 << (uint64_t)n)

HTH,

Alex.

# other related TLS related settings
tls_outgoing_options cafile=/etc/ssl/cert.pem

tls_outgoing_options cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

# systemctl reload squid

But I am still getting the same error when trying to connect to the above site via squid proxy. (Works fine without proxy)

What am I doing wrong?

Tips / help appreciated,

Thank you,

Amish.

Thank you

Amish.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux