[squid-users] squid listen on UDP for * or 0.0.0.0
Hello Folks , Wondering why I see squid listening on UDP sockets. And how can I disable that behavior? Here is a sample capture : ss -lup NCONN 00 *:62408 *:* users:(("squid",pid=304626,fd=12)) UNCONN 00 *:62421 *:* users:(("squid",pid=89500,fd=7)) UNCONN 00 *:62439 *:* users:(("squid",pid=506816,fd=12)) UNCONN 00 *:62440 *:* users:(("squid",pid=889812,fd=12)) UNCONN 00 *:62441 *:* users:(("squid",pid=561342,fd=13)) UNCONN 00 *:62448 *:* users:(("squid",pid=90497,fd=7)) UNCONN 00 *:62467 *:* users:(("squid",pid=89345,fd=7)) UNCONN 00 *:62481 *:* users:(("squid",pid=48730,fd=13)) UNCONN 00 *:62491 *:* users:(("squid",pid=88914,fd=7)) UNCONN 00 *:62504 *:* users:(("squid",pid=74449,fd=7)) UNCONN 00 *:62505 *:* users:(("squid",pid=89517,fd=7)) UNCONN 00 *:62507 *:* users:(("squid",pid=89077,fd=7)) UNCONN 00 *:62534 *:* users:(("squid",pid=70608,fd=7)) UNCONN 00 *:62543 *:* users:(("squid",pid=63323,fd=7)) UNCONN 00 *:62582 *:* users:(("squid",pid=89292,fd=7)) UNCONN 00 *:62606 *:* users:(("squid",pid=89037,fd=7)) UNCONN 00 *:62635 *:* users:(("squid",pid=89569,fd=7)) UNCONN 00 *:62636 *:* users:(("squid",pid=305076,fd=13)) UNCONN 00 *:62683 *:* users:(("squid",pid=304108,fd=13)) Sometimes the DNS resolutions fail on the server due to port conflict with squid. I think it wont be a problem if it listen to same squid IP , but listening to * ( all sockets) will make an issues Any way to figure out the issue above ? BR ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TLS client hello tls1.0 even with options "tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1"
On 13/12/2022 12:34 am, Dieter Bloms wrote: Hello, I've enabled sslbump and configured the following outgoing tls options: tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA so for me it looks like squid must not use TLS1.1 or TLS1.0. Correct. But for some web sites like https://www.europarl.europa.eu/doceo/document/LIBE-OJ-2022-12-12-1_EN.html the first request is made with an tls1.0 client hello packet. In the pcap provided I see two TLS/1.2 attempts which are being terminated by the server. Immediately followed by TLS/1.3 which is succeeding and doing stuff. Other connections just go straight to TLS/1.3 and do stuff. FYI, if you are looking at the trace with wireshark the TLS/1.2 packets are labeled as protocol "TLSv1" for some reason I don't know. There is a framing layer for TLS which carries a version number "1.0", but that is shared by all TLS/1.* versions up to and including 1.3. When I reload the page the proxyserver sends a tls1.2 client hello and the website is shown as expected. I'm not sure why that reload is needed. As mentioned above the visible TLS terminate is immediately followed by successful TLS/1.3 use. So what option can be used to force a minimum tls1.2 client hello package every time? The tls-min-version=1.2 which you already used, and appears to be working. Cheers Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TLS client hello tls1.0 even with options "tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1"
On 12/12/22 06:34, Dieter Bloms wrote: I've enabled sslbump and configured the following outgoing tls options: tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA This probably does not apply to your specific use case, but I will state it here in case others readers find this exchange: If SslBump configuration peeks at the server, then Squid cannot honor tls_outgoing_options. For example, tls_outgoing_options will be ignored in the following configuration: ssl_bump peek all ssl_bump splice all > min-version=1.2 options=NO_TLSv1:NO_TLSv1_1 FYI: The min-version=1.2 directive will automatically append NO_TLSv1:NO_TLSv1_1 options (or their GnuTLS equivalents). so for me it looks like squid must not use TLS1.1 or TLS1.0. But for some web sites like https://www.europarl.europa.eu/doceo/document/LIBE-OJ-2022-12-12-1_EN.html the first request is made with an tls1.0 client hello packet. You are probably being misled by Wireshark (or equivalent). Packet in frame 4 and packet in frame 9 in your trace use the same set of versions. The two packets only differ in Random, Session ID, and Key Exchange fields (as expected). You can confirm that by expanding TLS sub-trees in each packet, copying each packet dissection, and comparing the two saved text files. TLS has many layers. Layers have their own versions (and their own version-specific ways to specify versions). The two packets in question use v1.0 TLS record to transmit ClientHello message (legacy version v1.2) to announce support for TLS v1.2 and TLS v1.3: TLS... Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Handshake Protocol: Client Hello Version: TLS 1.2 (0x0303) ... Extension: supported_versions (len=5) Type: supported_versions (43) Length: 5 Supported Versions length: 4 Supported Version: TLS 1.3 (0x0304) Supported Version: TLS 1.2 (0x0303) Why does Whireshark (and similar smart tools) say "TLSv1.3 Record Layer" only for packet 9 even though all the relevant ClientHello fields are identical in both packets? That happens because Wireshark is smart enough to look further into the TLS handshake and discover that, when it comes to the connection containing packet 9, the two agents have negotiated TLS v1.3 (starting with frame 10): TLSv1.3 Record Layer: Handshake Protocol: Hello Retry Request Extension: supported_versions (len=2) Type: supported_versions (43) Length: 2 Supported Version: TLS 1.3 (0x0304) You can easily confirm that Wireshark is just being (too) helpful by exporting frames 1-9 from the packet capture (as a pcap packet capture) and looking at the exported packets with Wireshark. You will then see "TLSv1 Record Layer" instead of "TLSv1.3 Record Layer" for packet 9, even though you have modified no packets, only truncated the exchange. I do not know why the server resets the first TCP connection. HTH, Alex. When I reload the page the proxyserver sends a tls1.2 client hello and the website is shown as expected. So what option can be used to force a minimum tls1.2 client hello package every time? Here is a link to the pcap file with both variants: https://bloms.de/download/www.europarl.europa.eu.pcap ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] TLS client hello tls1.0 even with options "tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1"
Hello, I've enabled sslbump and configured the following outgoing tls options: tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA so for me it looks like squid must not use TLS1.1 or TLS1.0. But for some web sites like https://www.europarl.europa.eu/doceo/document/LIBE-OJ-2022-12-12-1_EN.html the first request is made with an tls1.0 client hello packet. When I reload the page the proxyserver sends a tls1.2 client hello and the website is shown as expected. So what option can be used to force a minimum tls1.2 client hello package every time? Here is a link to the pcap file with both variants: https://bloms.de/download/www.europarl.europa.eu.pcap -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users