Re: [squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?

Tue, 11 Jun 2024 07:03:50 -0700 

On 2024-06-11 03:33, Dieter Bloms wrote:


I've added that option like:
tls_outgoing_options options=0x40000 ...
but no change.

I tried 0x4 (for SSL_OP_LEGACY_SERVER_CONNECT), but also without any change.
I have seen this behavior before. My current working theory is that Squid ignores tls_outgoing_options when SslBump peeks or stares at Squid-to-server TLS connection. In case of staring, this smells like a Squid bug to me. Peeking case is more nuanced, but Squid code modifications are warranted in that case as well.
If your Squid is peeking and splicing Squid-origin connection, then please try the following unofficial patch: 
https://github.com/measurement-factory/squid/commit/4dad35eb.patch
The patch sets SSL_OP_LEGACY_SERVER_CONNECT unconditionally when peeking, for the reasons explained in the patch. This change has been proposed for official adoption at 
https://github.com/squid-cache/squid/pull/1839


I do not have a patch for the staring use case.


HTH,

Alex.




I use a debian bookworm container and when I use openssl s_client
without -legacy_server_connect I can't established a tls connection

--snip--
root@tarski:/# openssl s_client -connect cisco.com:443
CONNECTED(00000003)
4097F217F17F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy 
renegotiation disabled:../ssl/statem/extensions.c:893:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5177 bytes and written 322 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : 0000
     Session-ID: 
869B4016868DFF23D1DAB3A33F99F9879274C1F62FD45BF9DF839B27735FC72C
     Session-ID-ctx:
     Master-Key:
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1718090662
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
     Extended master secret: no
---
root@tarski:/#
--snip--

but when I add the -legacy_server_connect option I can as shown here:

--snip--
---
root@cdxiaphttpproxy04:/# openssl s_client -legacy_server_connect -connect 
cisco.com:443
CONNECTED(00000003)
depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
verify return:1
depth=1 C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = 
HydrantID Server CA O1
verify return:1
depth=0 C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = 
www.cisco.com
verify return:1
---
Certificate chain
  0 s:C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = 
www.cisco.com
    i:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = 
HydrantID Server CA O1
    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
    v:NotBefore: Nov 14 05:48:20 2023 GMT; NotAfter: Nov 13 05:47:20 2024 GMT
  1 s:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = 
HydrantID Server CA O1
    i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
    v:NotBefore: Dec 12 16:56:15 2019 GMT; NotAfter: Dec 12 16:56:15 2029 GMT
  2 s:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
    i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
    a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
    v:NotBefore: Jan 16 18:12:23 2014 GMT; NotAfter: Jan 16 18:12:23 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHkDCCBnigAwIBAgIQQAGLzF+ffeG2bq2GaN2HuTANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MS4wLAYDVQQLEyVIeWRy
YW50SUQgVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlMR8wHQYDVQQDExZIeWRy
YW50SUQgU2VydmVyIENBIE8xMB4XDTIzMTExNDA1NDgyMFoXDTI0MTExMzA1NDcy
MFowajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT
CFNhbiBKb3NlMRswGQYDVQQKExJDaXNjbyBTeXN0ZW1zIEluYy4xFjAUBgNVBAMT
DXd3dy5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5
CZi7tsogSJCAE5Zu78Z57FBC67OpK0OkIyVeixqKg57K/wqE4UF59GHHHVwOZhGv
VgsD3jjiQOhxZbUJnaen0+cMH6s1lSRZtiIi2K/Z1Oy+1Gytpw2bYZTbuWHWk1/e
VUgH8dS6PbwQp+/KAzV52Z98asWGzxWYqfJV5GUdC5V2MPDuDRfbrrl6uxVb05tN
69xfCIAR2KJtM64UJifesa7ItQBMzh1TYqPa4A15Ku6MgiuOkUddCrkZWRt1uevD
E6k47uR4wcuM/hF/eSX8wl/BaKrM3eiAc94Thom0wvKzlG0uziL4cux/O6O0na0w
o3WPfbSQltquqVPb9Z1JAgMBAAGjggQoMIIEJDAOBgNVHQ8BAf8EBAMCBaAwgYUG
CCsGAQUFBwEBBHkwdzAwBggrBgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2Nz
cC5pZGVudHJ1c3QuY29tMEMGCCsGAQUFBzAChjdodHRwOi8vdmFsaWRhdGlvbi5p
ZGVudHJ1c3QuY29tL2NlcnRzL2h5ZHJhbnRpZGNhTzEucDdjMB8GA1UdIwQYMBaA
FIm4m7ae7fuwxr0N7GdOPKOSnS35MCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwGCmCG
SAGG+S8ABgMwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL3ZhbGlkYXRpb24uaWRl
bnRydXN0LmNvbS9jcmwvaHlkcmFudGlkY2FvMS5jcmwwggE9BgNVHREEggE0MIIB
MIIJY2lzY28uY29tgg13d3cuY2lzY28uY29tgg53d3cxLmNpc2NvLmNvbYIOd3d3
Mi5jaXNjby5jb22CDnd3dzMuY2lzY28uY29tghB3d3ctMDEuY2lzY28uY29tghB3
d3ctMDIuY2lzY28uY29tghF3d3ctcnRwLmNpc2NvLmNvbYISd3d3MS1zczIuY2lz
Y28uY29tghJ3d3cyLXNzMS5jaXNjby5jb22CEnd3dzMtc3MxLmNpc2NvLmNvbYIS
d3d3My1zczIuY2lzY28uY29tghR3d3cuc3RhdGljLWNpc2NvLmNvbYIVcmVkaXJl
Y3QtbnMuY2lzY28uY29tghZjaXNjby1pbWFnZXMuY2lzY28uY29tghh3d3cubWVk
aWFmaWxlcy1jaXNjby5jb20wHQYDVR0OBBYEFJXbJPCc5ySIPskL3ul5pwsnzqOn
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAX0GCisGAQQB1nkCBAIE
ggFtBIIBaQFnAHYAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQAAAGL
zF+ivwAABAMARzBFAiAV2h1n5lmpF6LmJiUBK23xPvFstpP2e1rgvrgk3/JsmwIh
AMWUWbEUlsvuBOZU4/Zj/319+wLUe00a3oB4TrmGl8dYAHUA7s3QZNXbGs7FXLed
tM0TojKHRny87N7DUUhZRnEftZsAAAGLzF+gvgAABAMARjBEAiAOO0eyzuDUszNb
crQzu64SP6Rb5MK2cma9K0v+TB4xtwIgQZPKexvzy13yOg7Imn9F2d8turRwP/KI
DgAaezKY8AUAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYvM
X6BZAAAEAwBHMEUCIQCLGuUmgXM4zWGFphL39D0xVwxW9YfN3M0QHuGkh+XcDgIg
duaXqsoaucNUg8Y7iXgB8941hMMVyayYk7qOSBXO50UwDQYJKoZIhvcNAQELBQAD
ggEBAMn5Jz/4Zo9Z2eduV86z+cQ2GLqe00HdV+Nu2g8z3Yg8my8TioRaNbYBj3XB
Ng+sqQ4kAAp7AGcFDFQDBh8tokdH/d9/W+K+rPED3DTADMg/xqKpwdYNjnjOIfjq
RdcPfvvCfpz6FFG67iCfvKGUJtRxCCwxZwOrH+yo5i92dZIVJBwGPT3rUACzswWR
erVDViWgeHdU8BK9cQWAnLoYT4EOUoYgIpowEBW2QJbsjtyF6F/M+6QmIRfAiQmz
ltnSXsmjQg6gU+xnb+hWr8Z6fJQ7WTKklIkq+P0m9XkMILrt2e/mJCVXllvHt1bw
3ppvS7HIO+hyjOL0Ec815gtXQ6Q=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = 
www.cisco.com
issuer=C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = 
HydrantID Server CA O1
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5570 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
     Session-ID: 
A5AB47FDA51B5E20A65B2C8E5BEE4C03B81A954F6E10525A2D656C0C08C6C72C
     Session-ID-ctx:
     Master-Key: 
BB59B80C43F03ABCF1B35A62DCCB15061954F9FF19AAB08907E661F20E9104EA9DF6C4AACDD57245757800B6D80629C6
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1718090925
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
     Extended master secret: no
---
--snip--

so I think, no matter what option I set, it will be ignored



_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Reply via email to