> On Apr 17, 2016, at 5:50 AM, Yuri Voinov <yvoi...@gmail.com> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > *NIX means UNIX. Solaris is AT&T UNIX. Linux is not UNIX (C) Linus Torvalds. > :) We are not speaking about all possible OS'es. I suggests the matter in > SSL/TLS, not OS or hands or something similar. > > The problem is in CF, I think. As a maximum in peek-n-splice. > > > Because of I've not changed my squid.conf over last year, but approx. in > january 2016 CloudFlare stopped work via proxy, as said my field SA. AFAIK, > CF change own security settings. Also, I suggests, mozilla .org also moved > behind CF. > > Ok, let's talk about squid.conf. SSL-related rows are here: > > # SSL bump rules > acl DiscoverSNIHost at_step SslBump1 > acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/squid/etc/url.nobump" > acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/squid/etc/url.tor" > ssl_bump peek DiscoverSNIHost > ssl_bump splice NoSSLIntercept > ssl_bump bump all > > http_port 3126 intercept > https_port 3127 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt > key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE > tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem > cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS > http_port 3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt > key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE > tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem > cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS > tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt > options=SINGLE_DH_USE,SINGLE_ECDH_USE > cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS > sslproxy_foreign_intermediate_certs /usr/local/squid/etc/intermediate_ca.pem > sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s > /var/lib/ssl_db -M 4MB > > I see no anomalies in this lines. Ciphersuite is very relaxed. > > Also, if we discuss a bug - may be better to turn on debug to know, why 4.x > got first NONE_ABORTED/200 during CONNECT phase and then NONE/503 during TLS > negotiate?
Hi, Yuri, If I understand correctly, the issue is between squid and the origin proxy. In case it would help, have you enabled ECDH sslproxy_options or sslproxy_cipher settings in this snippet that would enable Squid to use ECDH when talking to the origin servers? Do you happen to have a packet capture between your squid server and a CloudFlare server that could help diagnose the TLS protocol’s problem? Regards, Guy _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
