SSL options on different http_port resolving into a single config for all ports

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL options on different http_port resolving into a single config for all ports

Wahaj Ali

With squid 3.5.25, I have two http_port configs, on one of which I want to disable SSLv3 while leaving it enabled on the other. Here is part of that config:


http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/madmin/certs/elastica-ca.pem key=/home/madmin/certs/ca.key cipher=ALL:!DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-RC4-MD5:!EXP-RC2-CBC-MD5:@STRENGTH options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/ssl/private/el-dhparams.pem

http_port 443 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/madmin/certs/elastica-ca.pem key=/home/madmin/certs/ca.key cipher=ALL:!DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-RC4-MD5:!EXP-RC2-CBC-MD5:@STRENGTH options=SINGLE_ECDH_USE tls-dh=prime256v1:/etc/ssl/private/el-dhparams.pem

If I first proxy my traffic to port 443, it seems to apply the port 443 config on all other ports from here on. On the other hand if my first request goes through port 3128, then squid sets whatever SSL version is supported on 3128 for all the other ports as well. 

First request going to port 3128
root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128" root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3 * About to connect() to proxy 127.0.0.1 port 3128 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443 > CONNECT uatmail02.cimb.com:443 HTTP/1.1 > Host: uatmail02.cimb.com:443 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection #0 * root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443" root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3 * About to connect() to proxy 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443 > CONNECT uatmail02.cimb.com:443 HTTP/1.1 > Host: uatmail02.cimb.com:443 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection #0

First request hitting 443:
root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443" root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3 * About to connect() to proxy 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443 > CONNECT uatmail02.cimb.com:443 HTTP/1.1 > Host: uatmail02.cimb.com:443 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com * start date: 2017-07-03 09:00:37 GMT * expire date: 2019-07-04 09:00:37 GMT * common name: uatmail02.cimb.com (matched) * issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=[hidden email]; CN=Elastica * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: uatmail02.cimb.com > Accept: */* > < HTTP/1.1 302 Found < Date: Wed, 26 Jul 2017 10:12:48 GMT < Location: http://127.0.0.1:7999/gateway_auth/?__eln__=1468917241090744452&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F < Server: elastica-gateway-service/v1.0 < Connection: close < * SSLv3, TLS alert, Client hello (1): * Closing connection #0 * SSLv3, TLS alert, Client hello (1): root@madmin-VirtualBox:/home/madmin# root@madmin-VirtualBox:/home/madmin# root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128" root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3 * About to connect() to proxy 127.0.0.1 port 3128 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443 > CONNECT uatmail02.cimb.com:443 HTTP/1.1 > Host: uatmail02.cimb.com:443 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com * start date: 2017-07-03 09:00:37 GMT * expire date: 2019-07-04 09:00:37 GMT * common name: uatmail02.cimb.com (matched) * issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=[hidden email]; CN=Elastica * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: uatmail02.cimb.com > Accept: */* > < HTTP/1.1 302 Found < Date: Wed, 26 Jul 2017 10:12:58 GMT < Location: http://127.0.0.1:7999/gateway_auth/?__eln__=2303332476459826439&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F < Server: elastica-gateway-service/v1.0 < Connection: close < * SSLv3, TLS alert, Client hello (1): * Closing connection #0 * SSLv3, TLS alert, Client hello (1):


In the first case, SSLv3 fails on both ports, while in the second it works for both. My expectation was that I can configure the ports independently to use different SSL versions. Wonder if this is a bug?

Regards, 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL options on different http_port resolving into a single config for all ports

Wahaj Ali

Resending the logs as they were not formatted correctly:


First request going to port 3128
root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128"
root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3
* About to connect() to proxy 127.0.0.1 port 3128 (#0)
*   Trying 127.0.0.1... connected
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443
> CONNECT uatmail02.cimb.com:443 HTTP/1.1
> Host: uatmail02.cimb.com:443
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection #0

Now hit port 443:

root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443"
root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3
* About to connect() to proxy 127.0.0.1 port 443 (#0)
*   Trying 127.0.0.1... connected
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443
> CONNECT uatmail02.cimb.com:443 HTTP/1.1
> Host: uatmail02.cimb.com:443
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection #0

Restart squid, then send first request on port 443 (which has ssl3 enabled):

root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443"
root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3
* About to connect() to proxy 127.0.0.1 port 443 (#0)
*   Trying 127.0.0.1... connected
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443
> CONNECT uatmail02.cimb.com:443 HTTP/1.1
> Host: uatmail02.cimb.com:443
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
* subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur   ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com
* start date: 2017-07-03 09:00:37 GMT
* expire date: 2019-07-04 09:00:37 GMT
* common name: uatmail02.cimb.com (matched)
* issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=[hidden email]; CN=Elastica
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: uatmail02.cimb.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 26 Jul 2017 10:12:48 GMT
< Location: http://127.0.0.1:7999/gateway_auth/?__eln__=1468917241090744452&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F
< Server: elastica-gateway-service/v1.0
< Connection: close
<
* SSLv3, TLS alert, Client hello (1):
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

Now send the same request on port 3128, which has ssl3 disabled:

root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128"
root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3
* About to connect() to proxy 127.0.0.1 port 3128 (#0)
*   Trying 127.0.0.1... connected
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443
> CONNECT uatmail02.cimb.com:443 HTTP/1.1
> Host: uatmail02.cimb.com:443
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
* subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur   ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com
* start date: 2017-07-03 09:00:37 GMT
* expire date: 2019-07-04 09:00:37 GMT
* common name: uatmail02.cimb.com (matched)
* issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=[hidden email]; CN=Elastica
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: uatmail02.cimb.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 26 Jul 2017 10:12:58 GMT
< Location: http://127.0.0.1:7999/gateway_auth/?__eln__=2303332476459826439&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F
< Server: elastica-gateway-service/v1.0
< Connection: close
<
* SSLv3, TLS alert, Client hello (1):
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):


From: Wahaj Ali
Sent: Thursday, July 27, 2017 12:51:57 PM
To: [hidden email]
Subject: SSL options on different http_port resolving into a single config for all ports
 

With squid 3.5.25, I have two http_port configs, on one of which I want to disable SSLv3 while leaving it enabled on the other. Here is part of that config:


http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/madmin/certs/elastica-ca.pem key=/home/madmin/certs/ca.key cipher=ALL:!DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-RC4-MD5:!EXP-RC2-CBC-MD5:@STRENGTH options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/ssl/private/el-dhparams.pem

http_port 443 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/madmin/certs/elastica-ca.pem key=/home/madmin/certs/ca.key cipher=ALL:!DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-RC4-MD5:!EXP-RC2-CBC-MD5:@STRENGTH options=SINGLE_ECDH_USE tls-dh=prime256v1:/etc/ssl/private/el-dhparams.pem

If I first proxy my traffic to port 443, it seems to apply the port 443 config on all other ports from here on. On the other hand if my first request goes through port 3128, then squid sets whatever SSL version is supported on 3128 for all the other ports as well. 

First request going to port 3128
root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128" root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3 * About to connect() to proxy 127.0.0.1 port 3128 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443 > CONNECT uatmail02.cimb.com:443 HTTP/1.1 > Host: uatmail02.cimb.com:443 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection #0 * root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443" root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3 * About to connect() to proxy 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443 > CONNECT uatmail02.cimb.com:443 HTTP/1.1 > Host: uatmail02.cimb.com:443 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection #0

First request hitting 443:
root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443" root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3 * About to connect() to proxy 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443 > CONNECT uatmail02.cimb.com:443 HTTP/1.1 > Host: uatmail02.cimb.com:443 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com * start date: 2017-07-03 09:00:37 GMT * expire date: 2019-07-04 09:00:37 GMT * common name: uatmail02.cimb.com (matched) * issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=[hidden email]; CN=Elastica * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: uatmail02.cimb.com > Accept: */* > < HTTP/1.1 302 Found < Date: Wed, 26 Jul 2017 10:12:48 GMT < Location: http://127.0.0.1:7999/gateway_auth/?__eln__=1468917241090744452&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F < Server: elastica-gateway-service/v1.0 < Connection: close < * SSLv3, TLS alert, Client hello (1): * Closing connection #0 * SSLv3, TLS alert, Client hello (1): root@madmin-VirtualBox:/home/madmin# root@madmin-VirtualBox:/home/madmin# root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128" root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3 * About to connect() to proxy 127.0.0.1 port 3128 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443 > CONNECT uatmail02.cimb.com:443 HTTP/1.1 > Host: uatmail02.cimb.com:443 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com * start date: 2017-07-03 09:00:37 GMT * expire date: 2019-07-04 09:00:37 GMT * common name: uatmail02.cimb.com (matched) * issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=[hidden email]; CN=Elastica * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: uatmail02.cimb.com > Accept: */* > < HTTP/1.1 302 Found < Date: Wed, 26 Jul 2017 10:12:58 GMT < Location: http://127.0.0.1:7999/gateway_auth/?__eln__=2303332476459826439&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F < Server: elastica-gateway-service/v1.0 < Connection: close < * SSLv3, TLS alert, Client hello (1): * Closing connection #0 * SSLv3, TLS alert, Client hello (1):


In the first case, SSLv3 fails on both ports, while in the second it works for both. My expectation was that I can configure the ports independently to use different SSL versions. Wonder if this is a bug?

Regards, 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL options on different http_port resolving into a single config for all ports

Amos Jeffries
Administrator
On 27/07/17 19:57, Wahaj Ali wrote:
> Resending the logs as they were not formatted correctly:
>
>
> First request going to port 3128
> root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128"

AFAIK, the above is in valid value for the https_proxy variable. It is
missing the URL scheme which tells curl whether HTTP or TLS is used to
connect to the proxy.



Since you are sending identical plain-text CONNECT requests in the two
ports the first one to receive the request forms the security context
used by the TLS server connection.

I believe what you are seeing is a result of the fake server
certificates being cached. The client requested domain is identical for
all tests, so the cached cert should be identical. However curl is
rejecting the certificate generated from SSLv3-enabled server connections.

Try with the dynamic_cert_mem_cache_size=0 option to disable cert caching.


Also, I highly recommend leaving port 443 for encrypted connections
(https_port directive). Using plain-text over it (http_port directive)
can be extremely problematic.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL options on different http_port resolving into a single config for all ports

Wahaj Ali
In reply to this post by Wahaj Ali

Thanks for the reply, Amos. A few follow up questions:

1) Setting dynamic_cert_mem_cache_size=0 does solve the issue. However, I fail to understand why caching the cert allows the connection to continue on SSLv3, on a port that I've disabled it. Isn't cert exchange done after the protocol has been selected. I don't think curl is rejecting the cert, but rather the ssl connection fails to establish before the cert exchange, since I also tried with the following command, which ignores cert errors:  

curl -k -vv -x https://127.0.0.1:3128 https://uatmail02.cimb.com -ssl3


root@madmin-VirtualBox:/home/madmin/# curl -k -vv -x https://127.0.0.1:3128 https://uatmail02.cimb.com -ssl3
* About to connect() to proxy 127.0.0.1 port 3128 (#0)
*   Trying 127.0.0.1... connected
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443
> CONNECT uatmail02.cimb.com:443 HTTP/1.1
> Host: uatmail02.cimb.com:443
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Proxy-Connection: Keep-Alive
< HTTP/1.1 200 Connection established
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection #0

2) You mentioned "leaving port 443 for encrypted connections", can you please elaborate on why it might be problematic to use "http_port" directive - i.e. have both plain-text and SSL connections?


Thanks.


From: Wahaj Ali
Sent: Thursday, July 27, 2017 12:57:14 PM
To: [hidden email]
Subject: Re: SSL options on different http_port resolving into a single config for all ports
 

Resending the logs as they were not formatted correctly:


First request going to port 3128
root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128"
root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3
* About to connect() to proxy 127.0.0.1 port 3128 (#0)
*   Trying 127.0.0.1... connected
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443
> CONNECT uatmail02.cimb.com:443 HTTP/1.1
> Host: uatmail02.cimb.com:443
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection #0

Now hit port 443:

root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443"
root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3
* About to connect() to proxy 127.0.0.1 port 443 (#0)
*   Trying 127.0.0.1... connected
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443
> CONNECT uatmail02.cimb.com:443 HTTP/1.1
> Host: uatmail02.cimb.com:443
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection #0

Restart squid, then send first request on port 443 (which has ssl3 enabled):

root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443"
root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3
* About to connect() to proxy 127.0.0.1 port 443 (#0)
*   Trying 127.0.0.1... connected
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443
> CONNECT uatmail02.cimb.com:443 HTTP/1.1
> Host: uatmail02.cimb.com:443
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
* subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur   ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com
* start date: 2017-07-03 09:00:37 GMT
* expire date: 2019-07-04 09:00:37 GMT
* common name: uatmail02.cimb.com (matched)
* issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=[hidden email]; CN=Elastica
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: uatmail02.cimb.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 26 Jul 2017 10:12:48 GMT
< Location: http://127.0.0.1:7999/gateway_auth/?__eln__=1468917241090744452&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F
< Server: elastica-gateway-service/v1.0
< Connection: close
<
* SSLv3, TLS alert, Client hello (1):
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

Now send the same request on port 3128, which has ssl3 disabled:

root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128"
root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3
* About to connect() to proxy 127.0.0.1 port 3128 (#0)
*   Trying 127.0.0.1... connected
* Establish HTTP proxy tunnel to uatmail02.cimb.com:443
> CONNECT uatmail02.cimb.com:443 HTTP/1.1
> Host: uatmail02.cimb.com:443
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
* subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur   ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com
* start date: 2017-07-03 09:00:37 GMT
* expire date: 2019-07-04 09:00:37 GMT
* common name: uatmail02.cimb.com (matched)
* issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=[hidden email]; CN=Elastica
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: uatmail02.cimb.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 26 Jul 2017 10:12:58 GMT
< Location: http://127.0.0.1:7999/gateway_auth/?__eln__=2303332476459826439&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F
< Server: elastica-gateway-service/v1.0
< Connection: close
<
* SSLv3, TLS alert, Client hello (1):
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):


From: Wahaj Ali
Sent: Thursday, July 27, 2017 12:51:57 PM
To: [hidden email]
Subject: SSL options on different http_port resolving into a single config for all ports
 

With squid 3.5.25, I have two http_port configs, on one of which I want to disable SSLv3 while leaving it enabled on the other. Here is part of that config:


http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/madmin/certs/elastica-ca.pem key=/home/madmin/certs/ca.key cipher=ALL:!DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-RC4-MD5:!EXP-RC2-CBC-MD5:@STRENGTH options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/ssl/private/el-dhparams.pem

http_port 443 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/madmin/certs/elastica-ca.pem key=/home/madmin/certs/ca.key cipher=ALL:!DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-RC4-MD5:!EXP-RC2-CBC-MD5:@STRENGTH options=SINGLE_ECDH_USE tls-dh=prime256v1:/etc/ssl/private/el-dhparams.pem

If I first proxy my traffic to port 443, it seems to apply the port 443 config on all other ports from here on. On the other hand if my first request goes through port 3128, then squid sets whatever SSL version is supported on 3128 for all the other ports as well. 

First request going to port 3128
root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128" root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3 * About to connect() to proxy 127.0.0.1 port 3128 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443 > CONNECT uatmail02.cimb.com:443 HTTP/1.1 > Host: uatmail02.cimb.com:443 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection #0 * root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443" root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3 * About to connect() to proxy 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443 > CONNECT uatmail02.cimb.com:443 HTTP/1.1 > Host: uatmail02.cimb.com:443 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection #0

First request hitting 443:
root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:443" root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3 * About to connect() to proxy 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443 > CONNECT uatmail02.cimb.com:443 HTTP/1.1 > Host: uatmail02.cimb.com:443 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com * start date: 2017-07-03 09:00:37 GMT * expire date: 2019-07-04 09:00:37 GMT * common name: uatmail02.cimb.com (matched) * issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=[hidden email]; CN=Elastica * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: uatmail02.cimb.com > Accept: */* > < HTTP/1.1 302 Found < Date: Wed, 26 Jul 2017 10:12:48 GMT < Location: http://127.0.0.1:7999/gateway_auth/?__eln__=1468917241090744452&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F < Server: elastica-gateway-service/v1.0 < Connection: close < * SSLv3, TLS alert, Client hello (1): * Closing connection #0 * SSLv3, TLS alert, Client hello (1): root@madmin-VirtualBox:/home/madmin# root@madmin-VirtualBox:/home/madmin# root@madmin-VirtualBox:/home/madmin# export https_proxy="127.0.0.1:3128" root@madmin-VirtualBox:/home/madmin# curl -v https://uatmail02.cimb.com -ssl3 * About to connect() to proxy 127.0.0.1 port 3128 (#0) * Trying 127.0.0.1... connected * Establish HTTP proxy tunnel to uatmail02.cimb.com:443 > CONNECT uatmail02.cimb.com:443 HTTP/1.1 > Host: uatmail02.cimb.com:443 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=MY; ST=CIMB Bank Berhad ; L=Kuala Lumpur ; OU=CIMB Bank Berhad; CN=uatmail02.cimb.com * start date: 2017-07-03 09:00:37 GMT * expire date: 2019-07-04 09:00:37 GMT * common name: uatmail02.cimb.com (matched) * issuer: C=US; ST=California; L=San Jose; O=Elastica Inc; OU=Development; emailAddress=[hidden email]; CN=Elastica * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: uatmail02.cimb.com > Accept: */* > < HTTP/1.1 302 Found < Date: Wed, 26 Jul 2017 10:12:58 GMT < Location: http://127.0.0.1:7999/gateway_auth/?__eln__=2303332476459826439&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F < Server: elastica-gateway-service/v1.0 < Connection: close < * SSLv3, TLS alert, Client hello (1): * Closing connection #0 * SSLv3, TLS alert, Client hello (1):


In the first case, SSLv3 fails on both ports, while in the second it works for both. My expectation was that I can configure the ports independently to use different SSL versions. Wonder if this is a bug?

Regards, 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL options on different http_port resolving into a single config for all ports

Amos Jeffries
Administrator
On 31/07/17 19:27, Wahaj Ali wrote:

> Thanks for the reply, Amos. A few follow up questions:
>
> 1) Setting dynamic_cert_mem_cache_size=0 does solve the issue. However,
> I fail to understand why caching the cert allows the connection to
> continue on SSLv3, on a port that I've disabled it. Isn't cert exchange
> done after the protocol has been selected. I don't think curl is
> rejecting the cert, but rather the ssl connection fails to establish
> before the cert exchange, since I also tried with the following command,
> which ignores cert errors:
> > curl -k -vv -x https://127.0.0.1:3128 https://uatmail02.cimb.com -ssl3
>

Are you referring to the -k ?

That option disables security validation procedures for the cert keys -
like Squid's DONT_VERIFY_PEER option. That is all.

It cannot prevent OpenSSL *parsing* the cert and rejecting it on grounds
that TLS-only things are being used on an SSLv3 connection, or SSL
things are being on a TLS-only connection.


>
> root@madmin-VirtualBox:/home/madmin/# curl -k -vv -x
> https://127.0.0.1:3128 https://uatmail02.cimb.com -ssl3
> * About to connect() to proxy 127.0.0.1 port 3128 (#0)
> *   Trying 127.0.0.1... connected
> * Establish HTTP proxy tunnel to uatmail02.cimb.com:443
>  > CONNECT uatmail02.cimb.com:443 HTTP/1.1
>  > Host: uatmail02.cimb.com:443
>  > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
>  > Proxy-Connection: Keep-Alive
>  >
> < HTTP/1.1 200 Connection established
> <
> * Proxy replied OK to CONNECT request
> * successfully set certificate verify locations:
> *   CAfile: none
>    CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):

The protocol version is decided here. By the server - based partially on
what framing syntax that ClientHello used, and partially on what the
client indicates it can support.

If the protocol itself could not be agreed to the server would terminate
and I'd expect curl to either show an alert received now, or complain
about early closure.


> * SSLv3, TLS alert, Server hello (2):

Here curl is receiving the ServerHello - which contains the cert and the
servers chosen cyphers etc.


> * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure > * Closing connection #0

So, curl is aborting willingly when processing that cert etc.

That "error:" line is produced by OpenSSL, not curl.

It might also abort due to cipher or extension issues, but IIRC the
messages OpenSSL prints there explicitly contain the words cipher or
extension respectively.


>
> 2) You mentioned "leaving port 443 for encrypted connections", can you
> please elaborate on why it might be problematic to use "http_port"
> directive - i.e. have both plain-text and SSL connections?
>

Because of problems like the one you are clearly showing by the way you
worded that question. As if you think SSL connections are arriving at
that port.

  ... it *does not* accept SSL connections.

The octet values for TLS and plain-text messages are incompatible. They
can be interpreted by either one - with various results which are
different to how they are supposed to be handled, and usually not nice
results.


The "http_" part of the directive name indicates what protocol the
parser attached to that port accepts. In this case plain-text HTTP.
There are a few other protocols that can arrive there but they do so by
using the plain-text HTTP syntax.


To receive port 443 traffic use the https_port. The "https_" part of
that directive name means the bytes arriving to that port get shuffled
through a TLS parser (eg OpenSSL) before going to the HTTP parser.

If you were thinking that ssl-bump option on the port made it accept
SSL/TLS connections you would be wrong. SSL-Bump on an http_port is
about applying a TLS parser *after* the HTTP parser - and only for the
payload of plain-text HTTP CONNECT messages.


Other plain-text protocols which Squid supports that don't use the
message HTTP-syntax have to use different port directives. For example;
ftp_port directive for native FTP protocol.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users