HAProxy community

Squid and Ellipitic Curve (ECDHE)

#1

I have a squid 4.1 instance and am troubleshooting a strange issue. I have a client that when it communicates with squid appears as a tls/1.0 in the logs although looking at wireshark shows 1.2. Additionally it appears that the client is only requesting elliptic curve ciphers (TLS_ECDHE_ECDSA_WITH_AES_128_GCN_256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECRSA_WITH_AES_128_GCN_256, & TLS_ECDHE_ECRSA_WITH_AES_256_GCN_384) between the the client and the squid server. The squid server then offers many more to the destination server including those presented by the client. The squid and destination server settle on TLS_ECDHE_ECDSA_WITH_AES_128_GCN_256 but the connection fails. It appears that the squid server returns to the client an Alert (Handshake failure (40)) message. The client gets an SSLv3 error message. I have played with various tls-dh and options settings under http_port with no success.

Here is extract of my logs:

src_ssl_negotiated_version=- dst_ssl_negotiated_version=TLS/1.2 src_tls_hello_version=TLS/1.0 dst_tls_hello_version=TLS/1.2 src_tls_max_version=TLS/1.2 dst_tls_max_version=TLS/1.2 src_tls_cipher=- dst_tls_cipher=ECDHE-ECDSA-AES128-GCM-SHA256 ssl_bump=- ssl_bump_mode=bump ssl_sni=bigtable.googleapis.com src_cert_subject="-" src_cert_issuer="-" dst_cert_subject="/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.googleapis.com" dst_cert_issuer="/C=US/O=Google Trust Services/CN=Google Internet Authority G3" cert_errors="-"

0 Likes

#2

Where is haproxy in that picture?

0 Likes

#3

The load balancer sits between the client and the squid server; I’ve tried it bypassing the load balancer with the same results. I then dropped squid to debug_options ALL,1 83,9 and notice the following:
kid1| 83,5| ServerOptions.cc(398) updateContextConfig: Using cipher suite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-SHA:!AES128-SHA:!DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4.
kid1| ERROR: Unknown EECDH curve

I ran openssl ecparam --list_curves and got the following:
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field

I then updated tls-dn as follows:
tls-dh=prime256v1:/etc/squid/ssl/dhparam.pem

The logs seem better now and I am just awaiting the client to confirm from their perspective.

0 Likes