[squid-users] SSL options on different http_port resolving into a single config for all ports

Wahaj Ali Thu, 27 Jul 2017 00:52:33 -0700

With squid 3.5.25, I have two http_port configs, on one of which I want to 
disable SSLv3 while leaving it enabled on the other. Here is part of that 
config:


http_port 3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/home/madmin/certs/elastica-ca.pem 
key=/home/madmin/certs/ca.key 
cipher=ALL:!DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-RC4-MD5:!EXP-RC2-CBC-MD5:@STRENGTH
 options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE 
tls-dh=prime256v1:/etc/ssl/private/el-dhparams.pem

http_port 443 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/home/madmin/certs/elastica-ca.pem 
key=/home/madmin/certs/ca.key 
cipher=ALL:!DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-RC4-MD5:!EXP-RC2-CBC-MD5:@STRENGTH
 options=SINGLE_ECDH_USE tls-dh=prime256v1:/etc/ssl/private/el-dhparams.pem

If I first proxy my traffic to port 443, it seems to apply the port 443 config 
on all other ports from here on. On the other hand if my first request goes 
through port 3128, then squid sets whatever SSL version is supported on 3128 
for all the other ports as well.

First request going to port 3128
root@madmin-VirtualBox:/home/madmin# export 
https_proxy="127.0.0.1:3128<http://127.0.0.1:3128/>" 
root@madmin-VirtualBox:/home/madmin# curl -v 
https://uatmail02.cimb.com<https://uatmail02.cimb.com/> -ssl3 * About to 
connect() to proxy 127.0.0.1 port 3128 (#0) * Trying 127.0.0.1... connected * 
Establish HTTP proxy tunnel to 
uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > CONNECT 
uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> HTTP/1.1 > Host: 
uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > User-Agent: 
curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 
zlib/1.2.3.4<http://1.2.3.4/> libidn/1.23 librtmp/2.3 > Proxy-Connection: 
Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to 
CONNECT request * successfully set certificate verify locations: * CAfile: none 
CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS 
alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 
alert handshake failure * Closing connection #0 * 
root@madmin-VirtualBox:/home/madmin# export 
https_proxy="127.0.0.1:443<http://127.0.0.1:443/>" 
root@madmin-VirtualBox:/home/madmin# curl -v 
https://uatmail02.cimb.com<https://uatmail02.cimb.com/> -ssl3 * About to 
connect() to proxy 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * 
Establish HTTP proxy tunnel to 
uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > CONNECT 
uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> HTTP/1.1 > Host: 
uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > User-Agent: 
curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 
zlib/1.2.3.4<http://1.2.3.4/> libidn/1.23 librtmp/2.3 > Proxy-Connection: 
Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to 
CONNECT request * successfully set certificate verify locations: * CAfile: none 
CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS 
alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 
alert handshake failure * Closing connection #0

First request hitting 443:
root@madmin-VirtualBox:/home/madmin# export 
https_proxy="127.0.0.1:443<http://127.0.0.1:443/>" 
root@madmin-VirtualBox:/home/madmin# curl -v 
https://uatmail02.cimb.com<https://uatmail02.cimb.com/> -ssl3 * About to 
connect() to proxy 127.0.0.1 port 443 (#0) * Trying 127.0.0.1... connected * 
Establish HTTP proxy tunnel to 
uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > CONNECT 
uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> HTTP/1.1 > Host: 
uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > User-Agent: 
curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 
zlib/1.2.3.4<http://1.2.3.4/> libidn/1.23 librtmp/2.3 > Proxy-Connection: 
Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to 
CONNECT request * successfully set certificate verify locations: * CAfile: none 
CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS 
handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS 
handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished 
(14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change 
cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS 
change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL 
connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=MY; 
ST=CIMB Bank Berhad ; L=Kuala Lumpur ; OU=CIMB Bank Berhad; 
CN=uatmail02.cimb.com<http://uatmail02.cimb.com/> * start date: 2017-07-03 
09:00:37 GMT * expire date: 2019-07-04 09:00:37 GMT * common name: 
uatmail02.cimb.com<http://uatmail02.cimb.com/> (matched) * issuer: C=US; 
ST=California; L=San Jose; O=Elastica Inc; OU=Development; 
emailAddress=service-engineer...@elastica.co<mailto:service-engineer...@elastica.co>;
 CN=Elastica * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: 
curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 
zlib/1.2.3.4<http://1.2.3.4/> libidn/1.23 librtmp/2.3 > Host: 
uatmail02.cimb.com<http://uatmail02.cimb.com/> > Accept: */* > < HTTP/1.1 302 
Found < Date: Wed, 26 Jul 2017 10:12:48 GMT < Location: 
http://127.0.0.1:7999/gateway_auth/?__eln__=1468917241090744452&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F
 < Server: elastica-gateway-service/v1.0 < Connection: close < * SSLv3, TLS 
alert, Client hello (1): * Closing connection #0 * SSLv3, TLS alert, Client 
hello (1): root@madmin-VirtualBox:/home/madmin# 
root@madmin-VirtualBox:/home/madmin# root@madmin-VirtualBox:/home/madmin# 
export https_proxy="127.0.0.1:3128<http://127.0.0.1:3128/>" 
root@madmin-VirtualBox:/home/madmin# curl -v 
https://uatmail02.cimb.com<https://uatmail02.cimb.com/> -ssl3 * About to 
connect() to proxy 127.0.0.1 port 3128 (#0) * Trying 127.0.0.1... connected * 
Establish HTTP proxy tunnel to 
uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > CONNECT 
uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> HTTP/1.1 > Host: 
uatmail02.cimb.com:443<http://uatmail02.cimb.com:443/> > User-Agent: 
curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 
zlib/1.2.3.4<http://1.2.3.4/> libidn/1.23 librtmp/2.3 > Proxy-Connection: 
Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to 
CONNECT request * successfully set certificate verify locations: * CAfile: none 
CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS 
handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS 
handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished 
(14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change 
cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS 
change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL 
connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=MY; 
ST=CIMB Bank Berhad ; L=Kuala Lumpur ; OU=CIMB Bank Berhad; 
CN=uatmail02.cimb.com<http://uatmail02.cimb.com/> * start date: 2017-07-03 
09:00:37 GMT * expire date: 2019-07-04 09:00:37 GMT * common name: 
uatmail02.cimb.com<http://uatmail02.cimb.com/> (matched) * issuer: C=US; 
ST=California; L=San Jose; O=Elastica Inc; OU=Development; 
emailAddress=service-engineer...@elastica.co<mailto:service-engineer...@elastica.co>;
 CN=Elastica * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: 
curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 
zlib/1.2.3.4<http://1.2.3.4/> libidn/1.23 librtmp/2.3 > Host: 
uatmail02.cimb.com<http://uatmail02.cimb.com/> > Accept: */* > < HTTP/1.1 302 
Found < Date: Wed, 26 Jul 2017 10:12:58 GMT < Location: 
http://127.0.0.1:7999/gateway_auth/?__eln__=2303332476459826439&elastica_relay=https%3A%2F%2Fuatmail02.cimb.com%2F
 < Server: elastica-gateway-service/v1.0 < Connection: close < * SSLv3, TLS 
alert, Client hello (1): * Closing connection #0 * SSLv3, TLS alert, Client 
hello (1):


In the first case, SSLv3 fails on both ports, while in the second it works for 
both. My expectation was that I can configure the ports independently to use 
different SSL versions. Wonder if this is a bug?

Regards,

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSL options on different http_port resolving into a single config for all ports

Reply via email to