Hello Alex, thank you for your answer! On Mon, Jun 10, Alex Rousskov wrote: > On 2024-06-10 08:10, Dieter Bloms wrote: > > > I have activated ssl_bump and must activate the UNSAFE_LEGACY_RENEGOTIATION option to enable access to https://cisco.com. > > The web server does not support secure renegotiation. > > > > I have tried to set the following options, but squid does not recognize any of them: > > > > tls_outgoing_options options=UNSAFE_LEGACY_RENEGOTIATION > > > > or > > > > tls_outgoing_options options=ALLOW_UNSAFE_LEGACY_RENEGOTIATION > > > > and > > > > tls_outgoing_options options=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION > > > > but no matter which syntax I use, I always get the message during squid-k parse: > > > > “2024/06/10 14:08:17| ERROR: Unknown TLS option ALLOW_UNSAFE_LEGACY_RENEGOTIATION” > > > > How can I activate secure renegotiation for squid? > > To set an OpenSSL connection option that Squid does not know by name, use > that option hex value (based on your OpenSSL sources). For example: > > # SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is defined to be > # SSL_OP_BIT(18) which is equal to (1 << 18) or 0x40000 in hex. > tls_outgoing_options options=0x40000 > > Disclaimer: I have not tested the above and do not know whether adding that > option achieves what you want to achieve. I've added that option like: tls_outgoing_options options=0x40000 capath=/etc/ssl/certs min-version=1.2 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1 but no change. I tried 0x4 (for SSL_OP_LEGACY_SERVER_CONNECT), but also without any change. I use a debian bookworm container and when I use openssl s_client without -legacy_server_connect I can't established a tls connection --snip-- root@tarski:/# openssl s_client -connect cisco.com:443 CONNECTED(00000003) 4097F217F17F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../ssl/statem/extensions.c:893: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5177 bytes and written 322 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: 869B4016868DFF23D1DAB3A33F99F9879274C1F62FD45BF9DF839B27735FC72C Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1718090662 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- root@tarski:/# --snip-- but when I add the -legacy_server_connect option I can as shown here: --snip-- --- root@cdxiaphttpproxy04:/# openssl s_client -legacy_server_connect -connect cisco.com:443 CONNECTED(00000003) depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 verify return:1 depth=1 C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 verify return:1 depth=0 C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = www.cisco.com verify return:1 --- Certificate chain 0 s:C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = www.cisco.com i:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 14 05:48:20 2023 GMT; NotAfter: Nov 13 05:47:20 2024 GMT 1 s:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Dec 12 16:56:15 2019 GMT; NotAfter: Dec 12 16:56:15 2029 GMT 2 s:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 16 18:12:23 2014 GMT; NotAfter: Jan 16 18:12:23 2034 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIHkDCCBnigAwIBAgIQQAGLzF+ffeG2bq2GaN2HuTANBgkqhkiG9w0BAQsFADBy MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MS4wLAYDVQQLEyVIeWRy YW50SUQgVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlMR8wHQYDVQQDExZIeWRy YW50SUQgU2VydmVyIENBIE8xMB4XDTIzMTExNDA1NDgyMFoXDTI0MTExMzA1NDcy MFowajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT CFNhbiBKb3NlMRswGQYDVQQKExJDaXNjbyBTeXN0ZW1zIEluYy4xFjAUBgNVBAMT DXd3dy5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5 CZi7tsogSJCAE5Zu78Z57FBC67OpK0OkIyVeixqKg57K/wqE4UF59GHHHVwOZhGv VgsD3jjiQOhxZbUJnaen0+cMH6s1lSRZtiIi2K/Z1Oy+1Gytpw2bYZTbuWHWk1/e VUgH8dS6PbwQp+/KAzV52Z98asWGzxWYqfJV5GUdC5V2MPDuDRfbrrl6uxVb05tN 69xfCIAR2KJtM64UJifesa7ItQBMzh1TYqPa4A15Ku6MgiuOkUddCrkZWRt1uevD E6k47uR4wcuM/hF/eSX8wl/BaKrM3eiAc94Thom0wvKzlG0uziL4cux/O6O0na0w o3WPfbSQltquqVPb9Z1JAgMBAAGjggQoMIIEJDAOBgNVHQ8BAf8EBAMCBaAwgYUG CCsGAQUFBwEBBHkwdzAwBggrBgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2Nz cC5pZGVudHJ1c3QuY29tMEMGCCsGAQUFBzAChjdodHRwOi8vdmFsaWRhdGlvbi5p ZGVudHJ1c3QuY29tL2NlcnRzL2h5ZHJhbnRpZGNhTzEucDdjMB8GA1UdIwQYMBaA FIm4m7ae7fuwxr0N7GdOPKOSnS35MCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwGCmCG SAGG+S8ABgMwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL3ZhbGlkYXRpb24uaWRl bnRydXN0LmNvbS9jcmwvaHlkcmFudGlkY2FvMS5jcmwwggE9BgNVHREEggE0MIIB MIIJY2lzY28uY29tgg13d3cuY2lzY28uY29tgg53d3cxLmNpc2NvLmNvbYIOd3d3 Mi5jaXNjby5jb22CDnd3dzMuY2lzY28uY29tghB3d3ctMDEuY2lzY28uY29tghB3 d3ctMDIuY2lzY28uY29tghF3d3ctcnRwLmNpc2NvLmNvbYISd3d3MS1zczIuY2lz Y28uY29tghJ3d3cyLXNzMS5jaXNjby5jb22CEnd3dzMtc3MxLmNpc2NvLmNvbYIS d3d3My1zczIuY2lzY28uY29tghR3d3cuc3RhdGljLWNpc2NvLmNvbYIVcmVkaXJl Y3QtbnMuY2lzY28uY29tghZjaXNjby1pbWFnZXMuY2lzY28uY29tghh3d3cubWVk aWFmaWxlcy1jaXNjby5jb20wHQYDVR0OBBYEFJXbJPCc5ySIPskL3ul5pwsnzqOn MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAX0GCisGAQQB1nkCBAIE ggFtBIIBaQFnAHYAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQAAAGL zF+ivwAABAMARzBFAiAV2h1n5lmpF6LmJiUBK23xPvFstpP2e1rgvrgk3/JsmwIh AMWUWbEUlsvuBOZU4/Zj/319+wLUe00a3oB4TrmGl8dYAHUA7s3QZNXbGs7FXLed tM0TojKHRny87N7DUUhZRnEftZsAAAGLzF+gvgAABAMARjBEAiAOO0eyzuDUszNb crQzu64SP6Rb5MK2cma9K0v+TB4xtwIgQZPKexvzy13yOg7Imn9F2d8turRwP/KI DgAaezKY8AUAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYvM X6BZAAAEAwBHMEUCIQCLGuUmgXM4zWGFphL39D0xVwxW9YfN3M0QHuGkh+XcDgIg duaXqsoaucNUg8Y7iXgB8941hMMVyayYk7qOSBXO50UwDQYJKoZIhvcNAQELBQAD ggEBAMn5Jz/4Zo9Z2eduV86z+cQ2GLqe00HdV+Nu2g8z3Yg8my8TioRaNbYBj3XB Ng+sqQ4kAAp7AGcFDFQDBh8tokdH/d9/W+K+rPED3DTADMg/xqKpwdYNjnjOIfjq RdcPfvvCfpz6FFG67iCfvKGUJtRxCCwxZwOrH+yo5i92dZIVJBwGPT3rUACzswWR erVDViWgeHdU8BK9cQWAnLoYT4EOUoYgIpowEBW2QJbsjtyF6F/M+6QmIRfAiQmz ltnSXsmjQg6gU+xnb+hWr8Z6fJQ7WTKklIkq+P0m9XkMILrt2e/mJCVXllvHt1bw 3ppvS7HIO+hyjOL0Ec815gtXQ6Q= -----END CERTIFICATE----- subject=C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = www.cisco.com issuer=C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 --- No client certificate CA names sent Peer signing digest: SHA512 Peer signature type: RSA Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 5570 bytes and written 441 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: A5AB47FDA51B5E20A65B2C8E5BEE4C03B81A954F6E10525A2D656C0C08C6C72C Session-ID-ctx: Master-Key: BB59B80C43F03ABCF1B35A62DCCB15061954F9FF19AAB08907E661F20E9104EA9DF6C4AACDD57245757800B6D80629C6 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1718090925 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- --snip-- so I think, no matter what option I set, it will be ignored -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the
