Squid4 with GnuTLS - specify ciphers or disable protocols

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid4 with GnuTLS - specify ciphers or disable protocols

Martin Hoffmann
I'm using squid 4.4 as remote proxy for an https server.
Squid 4.4 comes from Debian testing and is compiled with --with-gnutls (no openssl support).

How can I disable certain cipher suites or protocols (like TLS 1.0) ?

From my understanding I should add tls-min-version=1.1 to https_port - but that is ignored...?
Where can I add GnuTLS priority strings to disable certain ciphers ?

I guess Documentation about https_port is somewhat misleading as it often refers to the openssl config.

Thanks in advanced for any help.

Regards, Martin

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid4 with GnuTLS - specify ciphers or disable protocols

Amos Jeffries
Administrator
On 10/11/18 7:04 AM, Martin Hoffmann wrote:
> I'm using squid 4.4 as remote proxy for an https server.
> Squid 4.4 comes from Debian testing and is compiled with --with-gnutls
> (no openssl support).
>
> How can I disable certain cipher suites or protocols (like TLS 1.0) ?
>
> From my understanding I should add tls-min-version=1.1 to https_port -
> but that is ignored...?

Hmm, I think I've found a bug in there which would cause that.


> Where can I add GnuTLS priority strings to disable certain ciphers ?
>

Use "tls-options=". It is not yet documented since it has not had much
testing. For GnuTLS it should take a ':' separated list of priority strings.

FWIW: To work around the above tls-min-version bug, you should add the
priority string ":-VERS-TLS1.0" to that list of your custom ones. That
is what the min-version options should have been doing but clearly is not.


> I guess Documentation about https_port is somewhat misleading as it
> often refers to the openssl config.

Most documentation is still about OpenSSL because that is the older
feature set.

Settings that are named with "tls" prefixes have been given GnuTLS
support and should work for either library unless explicitly stated as
requiring one in particular.


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid4 with GnuTLS - specify ciphers or disable protocols

Martin Hoffmann
In reply to this post by Martin Hoffmann
Thanks for your quick reply.

Are your sure that tls-options *is working*?

It seems that no matter what options I give to tls-options everything is ignored:

https_port 192.168.x.y:443 tls-cert=/path/cert.crt tls-key=/path/cert.key tls-dh=/path/dhparams.pem tls-options=NORMAL:-VERS-TLS1.0 accel defaultsite=my.domain.com


I have even tried tls-options=SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2  - but in the end its all the same, TLS 1.0, 1.1 and 1.2 are enabled and all the same cipher suites are active. Absolute identical to omitting tls-options=... altogether.

Any idea?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid4 with GnuTLS - specify ciphers or disable protocols

Amos Jeffries
Administrator
On 12/11/18 11:05 PM, Martin Hoffmann wrote:
> Thanks for your quick reply.
>
> Are your sure that tls-options *is working*?
>

Nope, as I said earlier it is not tested much. Just that it builds and
passes the strings as-is to the library. It should "just work" since the
library is doing all the lifting.

The server connection side has had a bit more, testing that TLS version
restriction worked there.


> It seems that no matter what options I give to tls-options everything is
> ignored:
>
> https_port 192.168.x.y:443 tls-cert=/path/cert.crt
> tls-key=/path/cert.key tls-dh=/path/dhparams.pem
> tls-options=NORMAL:-VERS-TLS1.0 accel defaultsite=my.domain.com
> <http://my.domain.com>
>
>
> I have even
> tried tls-options=SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2  - but in
> the end its all the same, TLS 1.0, 1.1 and 1.2 are enabled and all the
> same cipher suites are active. Absolute identical to
> omitting tls-options=... altogether.
>
> Any idea?
>

Hmm. Looking into it now.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid4 with GnuTLS - specify ciphers or disable protocols

Martin Hoffmann
Thanks that would be fine.
However meanwhile I have recompiled squid 4.4 with OpenSSL support (added --enable-ssl and --with-open-ssl=xxx  and removed --with-gnutls to debian/rules) just to end with the same problems - I cannot seem to find how to disable certain protocols or ciphers with squid 4.4.
With squid 3.3 / 3.5 it worked without problems with "https_port ... cipher=ALL:!xxx options=NO_TLSv1,....". However despite of the docs saying these options should still work Squid4.4 just exits with Error:

FATAL: Unknown https_port option 'cipher=

FATAL: Unknown https_port option 'options=

This seems to be the case regardless if I compile it with OpenSSL support or GnuTLS Support or both. Btw. How does Squid "know" which library to chose if it's compiled with both libraries?

So what exactly am I missing here? Is the docs simply wrong? Or outdated? 
Which exact keyword should set the OpenSSL ciphers? Which one should set the GnuTLS priority strings? Is it the same keyword with different values??

I have then experimented with e.g. tls-options=NO_TLSv1 setting in Squid4.4 with OpenSSL but without any luck:

FATAL: Unknown TLS option 'NO_TLSv1'


So please could anyone provide a proved working example for disabling TLS v1 or any Cipher in Squid 4.4? Either OpenSSL or GnuTLS would suffice to bring me back on the right track.

Thanks in advance,

Martin

Am Di., 18. Dez. 2018 um 07:46 Uhr schrieb Amos Jeffries <[hidden email]>:
On 18/12/18 3:57 am, Martin Hoffmann wrote:
> Sorry for my late response, but I have been very busy the last weeks. 
> So I could finally find the time to patch my Squid 4.4 with your Patch
> https://github.com/squid-cache/squid/pull/330
>

No worries, similar situation here.

> However running patched squid with the following config still does
> ignore all TLS specific settings (tls-options and tls-min-version):
>
> https_port 1.2.3.4:443 <http://1.2.3.4:443> tls-cert=/path/cert.crt
> tls-key=/path/cert.key tls-dh=/path/dhparams.pem tls-min-version=1.2
> accel defaultsite=some.domain.de <http://some.domain.de>
>
>
> All attempts to disable certain ciphers or TLS version via
> 'tls-options=SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2' also fails -
> no change at all. It is as if squid totally ignores all GnuTLS specific
> settings...? Is there still another bug regarding config?
>

Just the unhelpful "Hmm, thats odd". I intend to re-test all this in the
next month or so to be able to give a better indication of what to
expect working and see if any other regressions show up.

Sorry,
Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid4 with GnuTLS - specify ciphers or disable protocols

Amos Jeffries
Administrator
On 19/12/18 3:44 am, Martin Hoffmann wrote:
> Thanks that would be fine.
> However meanwhile I have recompiled squid 4.4 with OpenSSL support
> (added --enable-ssl

Which does not exist any longer.

> and --with-open-ssl=xxx

Which never existed at all.

The ./configure option name is " --with-openssl ". Add that to the
debian/rules file and rebuild.


> and removed --with-gnutls
> to debian/rules) just to end with the same problems

Nod. That is because the options you have to enable OpenSSL do not exist.


# see './configure --help'
"

  --enable-ssl-crtd       Prevent Squid from directly generating TLS/SSL
                          private key and certificate. Instead enables
                          the certificate generator processes.

  --without-gnutls        Do not use GnuTLS for SSL.
                          Default: auto-detect

  --with-openssl[=PATH]   Compile with the OpenSSL libraries. The path
                          to the OpenSSL development libraries and
                          headers installation can be specified if
                          outside of the system standard directories

"

HTH
Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid4 with GnuTLS - specify ciphers or disable protocols

Martin Hoffmann
Sorry my fault. Using the correct configure options makes OpenSSL support indeed work :-) Thanks for pointing me to that. I will again try with GnuTLS after getting everything up and running with OpenSSL.

Regards, Martin.

Am Di., 18. Dez. 2018 um 19:44 Uhr schrieb Amos Jeffries <[hidden email]>:
On 19/12/18 3:44 am, Martin Hoffmann wrote:
> Thanks that would be fine.
> However meanwhile I have recompiled squid 4.4 with OpenSSL support
> (added --enable-ssl

Which does not exist any longer.

> and --with-open-ssl=xxx

Which never existed at all.

The ./configure option name is " --with-openssl ". Add that to the
debian/rules file and rebuild.


> and removed --with-gnutls
> to debian/rules) just to end with the same problems

Nod. That is because the options you have to enable OpenSSL do not exist.


# see './configure --help'
"

  --enable-ssl-crtd       Prevent Squid from directly generating TLS/SSL
                          private key and certificate. Instead enables
                          the certificate generator processes.

  --without-gnutls        Do not use GnuTLS for SSL.
                          Default: auto-detect

  --with-openssl[=PATH]   Compile with the OpenSSL libraries. The path
                          to the OpenSSL development libraries and
                          headers installation can be specified if
                          outside of the system standard directories

"

HTH
Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid4 with GnuTLS - specify ciphers or disable protocols

Amos Jeffries
Administrator
I think I have managed to track this down. It seems to be a side effect
of the session management being designed for OpenSSL where the context
implicitly shares details in the library between sessions linked to that
context. Under GnuTLS the sessions generated by clients connecting are
not inheriting details from the listening context+session state, where
they do under OpenSSL.

It may take a while to get that logic redesigned and the fix merged.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users