reverse proxy Squid 4

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

reverse proxy Squid 4

Vieri
Hi,

Today I just migrated from Squid 3 to Squid 4, and I found that a reverse proxy that was working fine before is now failing. The client browser sees this message:

[No Error] (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: [No Error]

This is how I configured the backend:

cache_peer 10.215.144.16 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/ssl/MY-CA/certs/W1_cert.cer sslkey=/etc/ssl/MY-CA/certs/W1_key_nopassphrase.pem sslcafile=/etc/ssl/MY-CA/cacert.pem ssloptions=NO_SSLv3,NO_SSLv2,NO_TLSv1_2,NO_TLSv1_1 sslflags=DONT_VERIFY_PEER front-end-https=on name=MyServer

The NO_TLSv* options are because the backend server is an old Windows 2003 (which hasn't changed either).

How can I debug this?

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy Squid 4

Amos Jeffries
Administrator
On 25/06/20 2:57 am, Vieri wrote:

> Hi,
>
> Today I just migrated from Squid 3 to Squid 4, and I found that a reverse proxy that was working fine before is now failing. The client browser sees this message:
>
> [No Error] (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> Handshake with SSL server failed: [No Error]
>
> This is how I configured the backend:
>
> cache_peer 10.215.144.16 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/ssl/MY-CA/certs/W1_cert.cer sslkey=/etc/ssl/MY-CA/certs/W1_key_nopassphrase.pem sslcafile=/etc/ssl/MY-CA/cacert.pem ssloptions=NO_SSLv3,NO_SSLv2,NO_TLSv1_2,NO_TLSv1_1 sslflags=DONT_VERIFY_PEER front-end-https=on name=MyServer
>

All options relating to SSLv2 are no longer supported in Squid-4+:
 <http://www.squid-cache.org/Versions/v4/RELEASENOTES.html#ss2.3>


> The NO_TLSv* options are because the backend server is an old Windows 2003 (which hasn't changed either).

Does it obey TLS/1.0 properly?

If so you should only need to configure these for Squid-4+
  tls-options=NO_SSLv3,NO_TLSv1_3 tls-min-version=1.0

If it is so broken that is cannot handle TLS 1.1 or 1.2 numbers in the
handshake (TLSv1.0 requires that it does). Then you will need:
  tls_options=NO_SSLv3,NO_TLSv1_1,NO_TLSv1_2,NO_TLSv1_3


>
> How can I debug this?
>

Start with removing the "sslflags=DONT_VERIFY_PEER" so TLS information
gets checked instead of silently ignored.

Then reduce the ssloptions= as much as you can. Remove if possible. A
packet trace of what is being attempted will be useful then.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse proxy Squid 4

Vieri


On Thursday, June 25, 2020, 10:32:46 AM GMT+2, Amos Jeffries <[hidden email]> wrote:

>
>  tls-options=NO_SSLv3,NO_TLSv1_3 tls-min-version=1.0
>
>  tls_options=NO_SSLv3,NO_TLSv1_1,NO_TLSv1_2,NO_TLSv1_3
>
> removing the "sslflags=DONT_VERIFY_PEER"
>
> Then reduce the ssloptions= as much as you can. Remove if possible.

Tried all of that, but still just getting this in the log:

kid1| 83,5| NegotiationHistory.cc(81) retrieveNegotiatedInfo: SSL connection info on FD 13 SSL version NONE/0.0 negotiated cipher
kid1| ERROR: negotiating TLS on FD 13: error:00000000:lib(0):func(0):reason(0) (5/-1/0)

> A packet trace of what is being attempted will be useful then.

Will try to save one.

Thanks,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users