Trying to verify couple tls issues

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Trying to verify couple tls issues

Eliezer Croitoru-3
I wrote the next "helping/helper/testing scripts":
https://github.com/elico/tls-check-script/blob/master/tls-check.rb
https://github.com/elico/tls-check-script/blob/master/check-dns-san.sh

Now I am trying to verify what issues exists that causes squid to this
result:
2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46:
error:00000001:lib(0):func(0):reason(1) (1/-1)
    connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ
flags=33

So the output of: bash check-dns-san.sh 161.117.96.220 443 is:
## START
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA
CA 2018
verify return:1
depth=0 CN = data.mistat.intl.xiaomi.com
verify return:1
DONE
X509v3 Subject Alternative Name:
    DNS:data.mistat.intl.xiaomi.com
## END

And then I am testing with the next command: ruby tls-check.rb
161.117.96.220 443 and the output is:
## START
### Number of Ciphers to be tested: 66
### Timeout per test: 3
### Delay between tests: 1
Testing TLS_AES_256_GCM_SHA384...  NO, SSL_CTX_set_cipher_list
Testing TLS_CHACHA20_POLY1305_SHA256...  NO, SSL_CTX_set_cipher_list
Testing TLS_AES_128_GCM_SHA256...  NO, SSL_CTX_set_cipher_list
Testing TLS_AES_128_CCM_SHA256...  NO, SSL_CTX_set_cipher_list
Testing ECDHE-ECDSA-AES256-GCM-SHA384...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES256-GCM-SHA384...  CONNECTED:
ECDHE-RSA-AES256-GCM-SHA384, YES, Secure Renegotiation IS supported
Testing DHE-RSA-AES256-GCM-SHA384...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-CHACHA20-POLY1305...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-CHACHA20-POLY1305...  NO, sslv3 alert handshake failure
Testing DHE-RSA-CHACHA20-POLY1305...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES256-CCM8...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES256-CCM...  NO, sslv3 alert handshake failure
Testing DHE-RSA-AES256-CCM8...  NO, sslv3 alert handshake failure
Testing DHE-RSA-AES256-CCM...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
Testing ECDHE-ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
Testing DHE-RSA-ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-GCM-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES128-GCM-SHA256...  CONNECTED:
ECDHE-RSA-AES128-GCM-SHA256, YES, Secure Renegotiation IS supported
Testing DHE-RSA-AES128-GCM-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-CCM8...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-CCM...  NO, sslv3 alert handshake failure
Testing DHE-RSA-AES128-CCM8...  NO, sslv3 alert handshake failure
Testing DHE-RSA-AES128-CCM...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
Testing DHE-RSA-ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES256-SHA384...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES256-SHA384...  CONNECTED: ECDHE-RSA-AES256-SHA384, YES,
Secure Renegotiation IS supported
Testing DHE-RSA-AES256-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-CAMELLIA256-SHA384...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-CAMELLIA256-SHA384...  NO, sslv3 alert handshake failure
Testing DHE-RSA-CAMELLIA256-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES128-SHA256...  CONNECTED: ECDHE-RSA-AES128-SHA256, YES,
Secure Renegotiation IS supported
Testing DHE-RSA-AES128-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
Testing DHE-RSA-CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES256-SHA...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES256-SHA...  CONNECTED: ECDHE-RSA-AES256-SHA, YES,
Secure Renegotiation IS supported
Testing DHE-RSA-AES256-SHA...  NO, sslv3 alert handshake failure
Testing DHE-RSA-CAMELLIA256-SHA...  NO, sslv3 alert handshake failure
Testing ECDHE-ECDSA-AES128-SHA...  NO, sslv3 alert handshake failure
Testing ECDHE-RSA-AES128-SHA...  CONNECTED: ECDHE-RSA-AES128-SHA, YES,
Secure Renegotiation IS supported
Testing DHE-RSA-AES128-SHA...  NO, sslv3 alert handshake failure
Testing DHE-RSA-CAMELLIA128-SHA...  NO, sslv3 alert handshake failure
Testing AES256-GCM-SHA384...  CONNECTED: AES256-GCM-SHA384, YES, Secure
Renegotiation IS supported
Testing AES256-CCM8...  NO, sslv3 alert handshake failure
Testing AES256-CCM...  NO, sslv3 alert handshake failure
Testing ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
Testing AES128-GCM-SHA256...  CONNECTED: AES128-GCM-SHA256, YES, Secure
Renegotiation IS supported
Testing AES128-CCM8...  NO, sslv3 alert handshake failure
Testing AES128-CCM...  NO, sslv3 alert handshake failure
Testing ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
Testing AES256-SHA256...  CONNECTED: AES256-SHA256, YES, Secure
Renegotiation IS supported
Testing CAMELLIA256-SHA256...  NO, sslv3 alert handshake failure
Testing AES128-SHA256...  CONNECTED: AES128-SHA256, YES, Secure
Renegotiation IS supported
Testing CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
Testing AES256-SHA...  CONNECTED: AES256-SHA, YES, Secure Renegotiation IS
supported
Testing CAMELLIA256-SHA...  NO, sslv3 alert handshake failure
Testing AES128-SHA...  CONNECTED: AES128-SHA, YES, Secure Renegotiation IS
supported
Testing CAMELLIA128-SHA...  NO, sslv3 alert handshake failure
Testing DHE-RSA-SEED-SHA...  NO, sslv3 alert handshake failure
Testing SEED-SHA...  NO, sslv3 alert handshake failure
Testing IDEA-CBC-SHA...  NO, ssl_cipher_process_rulestr
## END

I assume that the above results might give a clue why mentioned error line:
2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46:
error:00000001:lib(0):func(0):reason(1) (1/-1)
    connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ
flags=33

happens. However I am not sure.
Are there any config that might affect this negotiation in squid?

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trying to verify couple tls issues

Amos Jeffries
Administrator
On 19/01/21 6:04 am, Eliezer Croitoru wrote:

> I wrote the next "helping/helper/testing scripts":
> https://github.com/elico/tls-check-script/blob/master/tls-check.rb
> https://github.com/elico/tls-check-script/blob/master/check-dns-san.sh
>
> Now I am trying to verify what issues exists that causes squid to this
> result:
> 2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46:
> error:00000001:lib(0):func(0):reason(1) (1/-1)
>      connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ
> flags=33
>
> So the output of: bash check-dns-san.sh 161.117.96.220 443 is:
> ## START
> Can't use SSL_get_servername
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA
> CA 2018
> verify return:1
> depth=0 CN = data.mistat.intl.xiaomi.com
> verify return:1
> DONE
> X509v3 Subject Alternative Name:
>      DNS:data.mistat.intl.xiaomi.com
> ## END
>
> And then I am testing with the next command: ruby tls-check.rb
> 161.117.96.220 443 and the output is:
> ## START
> ### Number of Ciphers to be tested: 66
> ### Timeout per test: 3
> ### Delay between tests: 1
> Testing TLS_AES_256_GCM_SHA384...  NO, SSL_CTX_set_cipher_list
> Testing TLS_CHACHA20_POLY1305_SHA256...  NO, SSL_CTX_set_cipher_list
> Testing TLS_AES_128_GCM_SHA256...  NO, SSL_CTX_set_cipher_list
> Testing TLS_AES_128_CCM_SHA256...  NO, SSL_CTX_set_cipher_list
> Testing ECDHE-ECDSA-AES256-GCM-SHA384...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-AES256-GCM-SHA384...  CONNECTED:
> ECDHE-RSA-AES256-GCM-SHA384, YES, Secure Renegotiation IS supported
> Testing DHE-RSA-AES256-GCM-SHA384...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-CHACHA20-POLY1305...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-CHACHA20-POLY1305...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-CHACHA20-POLY1305...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES256-CCM8...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES256-CCM...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-AES256-CCM8...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-AES256-CCM...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
> Testing ECDHE-ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES128-GCM-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-AES128-GCM-SHA256...  CONNECTED:
> ECDHE-RSA-AES128-GCM-SHA256, YES, Secure Renegotiation IS supported
> Testing DHE-RSA-AES128-GCM-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES128-CCM8...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES128-CCM...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-AES128-CCM8...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-AES128-CCM...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES256-SHA384...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-AES256-SHA384...  CONNECTED: ECDHE-RSA-AES256-SHA384, YES,
> Secure Renegotiation IS supported
> Testing DHE-RSA-AES256-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-CAMELLIA256-SHA384...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-CAMELLIA256-SHA384...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-CAMELLIA256-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES128-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-AES128-SHA256...  CONNECTED: ECDHE-RSA-AES128-SHA256, YES,
> Secure Renegotiation IS supported
> Testing DHE-RSA-AES128-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES256-SHA...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-AES256-SHA...  CONNECTED: ECDHE-RSA-AES256-SHA, YES,
> Secure Renegotiation IS supported
> Testing DHE-RSA-AES256-SHA...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-CAMELLIA256-SHA...  NO, sslv3 alert handshake failure
> Testing ECDHE-ECDSA-AES128-SHA...  NO, sslv3 alert handshake failure
> Testing ECDHE-RSA-AES128-SHA...  CONNECTED: ECDHE-RSA-AES128-SHA, YES,
> Secure Renegotiation IS supported
> Testing DHE-RSA-AES128-SHA...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-CAMELLIA128-SHA...  NO, sslv3 alert handshake failure
> Testing AES256-GCM-SHA384...  CONNECTED: AES256-GCM-SHA384, YES, Secure
> Renegotiation IS supported
> Testing AES256-CCM8...  NO, sslv3 alert handshake failure
> Testing AES256-CCM...  NO, sslv3 alert handshake failure
> Testing ARIA256-GCM-SHA384...  NO, sslv3 alert handshake failure
> Testing AES128-GCM-SHA256...  CONNECTED: AES128-GCM-SHA256, YES, Secure
> Renegotiation IS supported
> Testing AES128-CCM8...  NO, sslv3 alert handshake failure
> Testing AES128-CCM...  NO, sslv3 alert handshake failure
> Testing ARIA128-GCM-SHA256...  NO, sslv3 alert handshake failure
> Testing AES256-SHA256...  CONNECTED: AES256-SHA256, YES, Secure
> Renegotiation IS supported
> Testing CAMELLIA256-SHA256...  NO, sslv3 alert handshake failure
> Testing AES128-SHA256...  CONNECTED: AES128-SHA256, YES, Secure
> Renegotiation IS supported
> Testing CAMELLIA128-SHA256...  NO, sslv3 alert handshake failure
> Testing AES256-SHA...  CONNECTED: AES256-SHA, YES, Secure Renegotiation IS
> supported
> Testing CAMELLIA256-SHA...  NO, sslv3 alert handshake failure
> Testing AES128-SHA...  CONNECTED: AES128-SHA, YES, Secure Renegotiation IS
> supported
> Testing CAMELLIA128-SHA...  NO, sslv3 alert handshake failure
> Testing DHE-RSA-SEED-SHA...  NO, sslv3 alert handshake failure
> Testing SEED-SHA...  NO, sslv3 alert handshake failure
> Testing IDEA-CBC-SHA...  NO, ssl_cipher_process_rulestr
> ## END
>
> I assume that the above results might give a clue why mentioned error line:
> 2021/01/18 18:54:47 kid1| Error negotiating SSL connection on FD 46:
> error:00000001:lib(0):func(0):reason(1) (1/-1)
>      connection: conn407043 local=161.117.96.220:443 remote=192.16.XYZ
> flags=33

Take the output above and grep "CONNECTED: ". If the client or Squid do
not support those combinations, the above error will result when
connecting to that server.


 > Testing ECDHE-RSA-AES256-GCM-SHA384...  CONNECTED:
 > ECDHE-RSA-AES256-GCM-SHA384, YES, Secure Renegotiation IS supported

 > Testing ECDHE-RSA-AES128-GCM-SHA256...CONNECTED:
 > ECDHE-RSA-AES128-GCM-SHA256, YES, Secure Renegotiation IS supported

 > Testing ECDHE-RSA-AES256-SHA384...CONNECTED: ECDHE-RSA-AES256-SHA384,
 > Testing ECDHE-RSA-AES128-SHA256...CONNECTED: ECDHE-RSA-AES128-SHA256,
 > Testing ECDHE-RSA-AES256-SHA...  CONNECTED: ECDHE-RSA-AES256-SHA, YES,
 > Testing AES256-GCM-SHA384...  CONNECTED: AES256-GCM-SHA384, YES,
 > Testing AES128-GCM-SHA256...  CONNECTED: AES128-GCM-SHA256, YES,
 > Testing AES256-SHA256...  CONNECTED: AES256-SHA256, YES, Secure
 > Testing AES128-SHA256...  CONNECTED: AES128-SHA256, YES, Secure
 > Testing AES256-SHA...  CONNECTED: AES256-SHA, YES, Secure
 > Testing AES128-SHA...  CONNECTED: AES128-SHA, YES, Secure
 > ## END


>
> happens. However I am not sure.
> Are there any config that might affect this negotiation in squid?


When either SHA or AES are not possible for Squid to use it will happen.
Depending on whether your Squid is doing bumping or not will will
determine whether it is possible to affect with a configuration change
or if the issue is the client software.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users