zc2
asked on
How to make squid support TLS1.0
I am trying to setup squid proxy to re-encrypt connections between old TLS1.0 enabled devices and modern web sites which mostly support only TLS1.2+
It is capable now to do TLS downgrade, like translate TLS1.3 to TLS1.2. I know that, because I can connect to a site which understands only up to TLS1.2 with the following command:
So, now I need to make it work opposite - to upgrade the TLS version.
However, I found out that squid apparently does not support TLS1.0/TLS1.1 at all. OpenSSL itself does support that. The following command succeeds:
I compiled squid myself using debuild. In the debian/rules I added the following options: --enable-inline --enable-ssl
The actual options are:
How to make squid to understand TLSv1 ?
squid.conf
It is capable now to do TLS downgrade, like translate TLS1.3 to TLS1.2. I know that, because I can connect to a site which understands only up to TLS1.2 with the following command:
openssl s_client -tls1_3 -CAfile /etc/squid/cert.pem -connect tls12only.site.com:443 -tlsextdebug -proxy 127.0.0.1:3128
And s_client output contains lines:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Removing the -proxy option in the command above makes the connection impossible.So, now I need to make it work opposite - to upgrade the TLS version.
However, I found out that squid apparently does not support TLS1.0/TLS1.1 at all. OpenSSL itself does support that. The following command succeeds:
openssl s_client -tls1 -connect tls1only.site.com:443 -tlsextdebug
with the following in the output:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
But the same does not work through the proxy:
openssl s_client -tls1 -CAfile /etc/squid/cert.pem -connect tls1only.site.com:443 -tlsextdebug -proxy 127.0.0.1:3128
CONNECTED(00000003)
140360358970496:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1544:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 46 bytes and written 145 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1584727268
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
I compiled squid myself using debuild. In the debian/rules I added the following options: --enable-inline --enable-ssl
The actual options are:
Squid Cache: Version 4.6
Service Name: squid
Debian linux
This binary uses OpenSSL 1.1.1d 10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--build=x86_64-linux-gnu'
'--prefix=/usr'
'--includedir=${prefix}/include'
'--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info'
'--sysconfdir=/etc'
'--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid'
'--srcdir=.'
'--disable-maintainer-mode'
'--disable-dependency-tracking'
'--disable-silent-rules'
'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/home/zc2/src/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic'
'BUILDCXX=x86_64-linux-gnu-g++'
'--with-build-environment=default'
'--enable-build-info=Debian linux'
'--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid'
'--mandir=/usr/share/man'
'--disable-arch-native'
'--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap'
'--enable-delay-pools'
'--enable-cache-digests'
'--enable-icap-client'
'--enable-ssl-crtd'
'--with-openssl'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,SMB_LM'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group'
'--enable-security-cert-validators=fake'
'--enable-storeid-rewrite-helpers=file'
'--enable-url-rewrite-helpers=fake'
'--enable-eui'
'--enable-esi'
'--enable-icmp'
'--enable-zph-qos'
'--enable-ecap'
'--disable-translation'
'--with-swapdir=/var/spool/squid'
'--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid'
'--with-filedescriptors=65536'
'--with-large-files'
'--with-default-user=proxy'
'--with-cppunit-basedir=/usr'
'--enable-inline'
'--enable-ssl'
'--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu'
'CC=x86_64-linux-gnu-gcc'
'CFLAGS=-g -O2 -fdebug-prefix-map=/home/zc2/src/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
'CXX=x86_64-linux-gnu-g++'
'CXXFLAGS=-g -O2 -fdebug-prefix-map=/home/zc2/src/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security'
How to make squid to understand TLSv1 ?
squid.conf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
arnold,
Thank you for the reply. Guess, my question was not understood correctly.
I don't need to disable TLS1, I need to enable it when squid is used.
I check the file /usr/lib/ssl/openssl.cnf as you advised. There is section [system_default_sect] with a value MinProtocol = TLSv1.2
That strange, since without squid I was able to run s_client -tls1 (as described in my original post).
I changed the value to TLSv1.0 and restarted squid, and now it is able to accept s_client -tls1
Also I disabled TLS greater than 1.0 in a Mozilla browser and set the proxy to my squid. And after that I still able to browse the internet.
Guess, that solves my problem. Thank you very much!
Thank you for the reply. Guess, my question was not understood correctly.
I don't need to disable TLS1, I need to enable it when squid is used.
I check the file /usr/lib/ssl/openssl.cnf as you advised. There is section [system_default_sect] with a value MinProtocol = TLSv1.2
That strange, since without squid I was able to run s_client -tls1 (as described in my original post).
I changed the value to TLSv1.0 and restarted squid, and now it is able to accept s_client -tls1
Also I disabled TLS greater than 1.0 in a Mozilla browser and set the proxy to my squid. And after that I still able to browse the internet.
Guess, that solves my problem. Thank you very much!
I.e. by seemingly requiring tls1.0 you might exclude the ability of your squid instance from being able to access tls1.0
relooked at your question. The only way to achieve what you want. squid has to act as the person in the middle, terminate the connection of the requesting system while going out and fetching the data from the destination.
To achieve this squid MUST be trusted for ALL SITES to which users might be go
Usually, SSL requests are TCP Direct CONNECTIONs think of it as a tunnel