Re: [squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?
On 2024-06-11 03:33, Dieter Bloms wrote: I've added that option like: tls_outgoing_options options=0x4 ... but no change. I tried 0x4 (for SSL_OP_LEGACY_SERVER_CONNECT), but also without any change. I have seen this behavior before. My current working theory is that Squid ignores tls_outgoing_options when SslBump peeks or stares at Squid-to-server TLS connection. In case of staring, this smells like a Squid bug to me. Peeking case is more nuanced, but Squid code modifications are warranted in that case as well. If your Squid is peeking and splicing Squid-origin connection, then please try the following unofficial patch: https://github.com/measurement-factory/squid/commit/4dad35eb.patch The patch sets SSL_OP_LEGACY_SERVER_CONNECT unconditionally when peeking, for the reasons explained in the patch. This change has been proposed for official adoption at https://github.com/squid-cache/squid/pull/1839 I do not have a patch for the staring use case. HTH, Alex. I use a debian bookworm container and when I use openssl s_client without -legacy_server_connect I can't established a tls connection --snip-- root@tarski:/# openssl s_client -connect cisco.com:443 CONNECTED(0003) 4097F217F17F:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../ssl/statem/extensions.c:893: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5177 bytes and written 322 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: Session-ID: 869B4016868DFF23D1DAB3A33F99F9879274C1F62FD45BF9DF839B27735FC72C Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1718090662 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- root@tarski:/# --snip-- but when I add the -legacy_server_connect option I can as shown here: --snip-- --- root@cdxiaphttpproxy04:/# openssl s_client -legacy_server_connect -connect cisco.com:443 CONNECTED(0003) depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 verify return:1 depth=1 C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 verify return:1 depth=0 C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = www.cisco.com verify return:1 --- Certificate chain 0 s:C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = www.cisco.com i:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 14 05:48:20 2023 GMT; NotAfter: Nov 13 05:47:20 2024 GMT 1 s:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Dec 12 16:56:15 2019 GMT; NotAfter: Dec 12 16:56:15 2029 GMT 2 s:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 16 18:12:23 2014 GMT; NotAfter: Jan 16 18:12:23 2034 GMT --- Server certificate -BEGIN CERTIFICATE- MIIHkDCCBnigAwIBAgIQQAGLzF+ffeG2bq2GaN2HuTANBgkqhkiG9w0BAQsFADBy MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MS4wLAYDVQQLEyVIeWRy YW50SUQgVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlMR8wHQYDVQQDExZIeWRy YW50SUQgU2VydmVyIENBIE8xMB4XDTIzMTExNDA1NDgyMFoXDTI0MTExMzA1NDcy MFowajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT CFNhbiBKb3NlMRswGQYDVQQKExJDaXNjbyBTeXN0ZW1zIEluYy4xFjAUBgNVBAMT DXd3dy5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5 CZi7tsogSJCAE5Zu78Z57FBC67OpK0OkIyVeixqKg57K/wqE4UF59GHHHVwOZhGv VgsD3jjiQOhxZbUJnaen0+cMH6s1lSRZtiIi2K/Z1Oy+1Gytpw2bYZTbuWHWk1/e VUgH8dS6PbwQp+/KAzV52Z98asWGzxWYqfJV5GUdC5V2MPDuDRfbrrl6uxVb05tN 69xfCIAR2KJtM64UJifesa7ItQBMzh1TYqPa4A15Ku6MgiuOkUddCrkZWRt1uevD E6k47uR4wcuM/hF/eSX8wl/BaKrM3eiAc94Thom0wvKzlG0uziL4cux/O6O0na0w o3WPfbSQltquqVPb9Z1JAgMBAAGjggQoMIIEJDAOBgNVHQ8BAf8EBAMCBaAwgYUG CCsGAQUFBwEBBHkwdzAwBggrBgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2Nz cC5pZGVudHJ1c3QuY29tMEMGCCsGAQUFBzAChjdodHRwOi8vdmFsaWRhdGlvbi5p ZGVudHJ1c3QuY29tL2NlcnRzL2h5ZHJhbnRpZGNhTzEucDdjMB8GA1UdIwQYMBaA FIm4m7ae7fuwxr0N7GdOPKOSnS35MCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwGCmCG SAGG+S8ABgMwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL3ZhbGlkYXRpb24uaWRl bnRydXN0LmNvbS9jcmwvaHlkcmFudGlkY2FvMS5jcmwwggE9BgNVHREEggE0MIIB MIIJY2lzY28uY29tgg13d3cuY2lzY28uY29tgg53d3cxLmNpc2NvLmNvbYIOd3d3 Mi5jaXNjby5jb22CDnd3dzMuY2lzY28uY29tghB3d3ctMDEuY2lzY28uY29tghB3 d3ctMDIuY2lzY28uY29tghF3d3ctcnRwLmNpc2NvLmNvbYISd3d3MS1zczIuY2lz Y28uY29tghJ3d3cyLXNzMS5jaXNjby5jb22CEnd3dzMtc3MxLmNpc2NvLmNv
Re: [squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?
Hello Alex, thank you for your answer! On Mon, Jun 10, Alex Rousskov wrote: > On 2024-06-10 08:10, Dieter Bloms wrote: > > > I have activated ssl_bump and must activate the UNSAFE_LEGACY_RENEGOTIATION > > option to enable access to https://cisco.com. > > The web server does not support secure renegotiation. > > > > I have tried to set the following options, but squid does not recognize any > > of them: > > > > tls_outgoing_options options=UNSAFE_LEGACY_RENEGOTIATION > > > > or > > > > tls_outgoing_options options=ALLOW_UNSAFE_LEGACY_RENEGOTIATION > > > > and > > > > tls_outgoing_options options=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION > > > > but no matter which syntax I use, I always get the message during squid-k > > parse: > > > > “2024/06/10 14:08:17| ERROR: Unknown TLS option > > ALLOW_UNSAFE_LEGACY_RENEGOTIATION” > > > > How can I activate secure renegotiation for squid? > > To set an OpenSSL connection option that Squid does not know by name, use > that option hex value (based on your OpenSSL sources). For example: > > # SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is defined to be > # SSL_OP_BIT(18) which is equal to (1 << 18) or 0x4 in hex. > tls_outgoing_options options=0x4 > > Disclaimer: I have not tested the above and do not know whether adding that > option achieves what you want to achieve. I've added that option like: tls_outgoing_options options=0x4 capath=/etc/ssl/certs min-version=1.2 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1 but no change. I tried 0x4 (for SSL_OP_LEGACY_SERVER_CONNECT), but also without any change. I use a debian bookworm container and when I use openssl s_client without -legacy_server_connect I can't established a tls connection --snip-- root@tarski:/# openssl s_client -connect cisco.com:443 CONNECTED(0003) 4097F217F17F:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../ssl/statem/extensions.c:893: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5177 bytes and written 322 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: Session-ID: 869B4016868DFF23D1DAB3A33F99F9879274C1F62FD45BF9DF839B27735FC72C Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1718090662 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- root@tarski:/# --snip-- but when I add the -legacy_server_connect option I can as shown here: --snip-- --- root@cdxiaphttpproxy04:/# openssl s_client -legacy_server_connect -connect cisco.com:443 CONNECTED(0003) depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 verify return:1 depth=1 C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 verify return:1 depth=0 C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = www.cisco.com verify return:1 --- Certificate chain 0 s:C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = www.cisco.com i:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 14 05:48:20 2023 GMT; NotAfter: Nov 13 05:47:20 2024 GMT 1 s:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1 i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Dec 12 16:56:15 2019 GMT; NotAfter: Dec 12 16:56:15 2029 GMT 2 s:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 16 18:12:23 2014 GMT; NotAfter: Jan 16 18:12:23 2034 GMT --- Server certificate -BEGIN CERTIFICATE- MIIHkDCCBnigAwIBAgIQQAGLzF+ffeG2bq2GaN2HuTANBgkqhkiG9w0BAQsFADBy MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MS4wLAYDVQQLEyVIeWRy YW50SUQgVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlMR8wHQYDVQQDExZIeWRy YW50SUQgU2VydmVyIENBIE8xMB4XDTIzMTExNDA1NDgyMFoXDTI0MTExMzA1NDcy MFowajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT CFNhbiBKb3NlMRswGQYDVQQKExJDaXNjbyBTeXN0ZW1zIEluYy4xFjAUBgNVBAMT DXd3dy5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5 CZi7tsogSJCAE5Zu78Z57FBC67OpK0OkIyVeixqKg57K/wqE4UF59GHHHVwOZhGv VgsD3jjiQOhxZbUJnaen0+cMH6s1lSRZtiIi2K/Z1Oy+1Gytpw2bYZTbuWHWk1/e VUgH8dS6PbwQp+/KAzV52Z98asWGzxWYqfJV5GUdC5V2MPDuDRfbrrl6uxVb05tN 69xfCIAR2KJtM64UJifesa7ItQBMzh1TYqPa4A15Ku6MgiuOkUddCrkZWRt1uevD E6k47uR4wcuM/hF/eSX8wl/BaKrM3eiAc94Thom0wvKzlG0uziL4cux/O6O0na0w o3WPfbSQltquqVPb9Z1JAgMBAAGjggQoMIIEJDAOB
Re: [squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?
On 2024-06-10 08:10, Dieter Bloms wrote: I have activated ssl_bump and must activate the UNSAFE_LEGACY_RENEGOTIATION option to enable access to https://cisco.com. The web server does not support secure renegotiation. I have tried to set the following options, but squid does not recognize any of them: tls_outgoing_options options=UNSAFE_LEGACY_RENEGOTIATION or tls_outgoing_options options=ALLOW_UNSAFE_LEGACY_RENEGOTIATION and tls_outgoing_options options=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION but no matter which syntax I use, I always get the message during squid-k parse: “2024/06/10 14:08:17| ERROR: Unknown TLS option ALLOW_UNSAFE_LEGACY_RENEGOTIATION” How can I activate secure renegotiation for squid? To set an OpenSSL connection option that Squid does not know by name, use that option hex value (based on your OpenSSL sources). For example: # SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is defined to be # SSL_OP_BIT(18) which is equal to (1 << 18) or 0x4 in hex. tls_outgoing_options options=0x4 Disclaimer: I have not tested the above and do not know whether adding that option achieves what you want to achieve. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?
Hello, I have activated ssl_bump and must activate the UNSAFE_LEGACY_RENEGOTIATION option to enable access to https://cisco.com. The web server does not support secure renegotiation. I have tried to set the following options, but squid does not recognize any of them: tls_outgoing_options options=UNSAFE_LEGACY_RENEGOTIATION or tls_outgoing_options options=ALLOW_UNSAFE_LEGACY_RENEGOTIATION and tls_outgoing_options options=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION but no matter which syntax I use, I always get the message during squid-k parse: “2024/06/10 14:08:17| ERROR: Unknown TLS option ALLOW_UNSAFE_LEGACY_RENEGOTIATION” How can I activate secure renegotiation for squid? -- Regeards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users