[squid-users] https issues for google

glenn.groves at bradnams.com.au glenn.groves at bradnams.com.au
Mon Dec 8 23:57:55 UTC 2014 

Hi Eliezer,

The command for www.google.com failed to complete the connection with a unknown protocol error: 

openssl s_client -connect www.google.com:443 -showcerts
CONNECTED(00000003)
140623996839752:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 263 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

The command for www.google.com.au, google.com.au AND google.com all got the certificate fine, for example a snipt:

openssl s_client -connect www.google.com.au:443 -showcerts
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
------------------------------------
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 10548 bytes and written 389 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 363AA9E6E5446296B11FC1763C24C0C23D6D4D67E4E0D858CEAA9C3B8172CE9A
    Session-ID-ctx:
    Master-Key: 30AC2CE9E8447130F9A4664CEF9399075C5C97602F4908D532540CE3694558AF66D54A5390FAF137BB8121785D0B7BB3
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 58 90 ee 84 cd 6d 26 5f-13 10 64 4c df 9a 1d a2   X....m&_..dL....
    0010 - 61 fe 82 ea b8 28 c2 51-6d f4 d9 ac 4c a1 45 be   a....(.Qm...L.E.
    0020 - b4 e0 d0 2e 83 3b 08 f4-e1 20 0f 8d 7a fa 77 9f   .....;... ..z.w.
    0030 - 0b 15 5c a3 6f 36 a7 79-4a 8f 70 af ee 81 0e 34   ..\.o6.yJ.p....4
    0040 - 78 a0 ba 22 84 62 56 7f-19 37 19 d3 66 bd 9a e2   x..".bV..7..f...
    0050 - 5b a4 47 29 3d 73 32 a8-f8 2a 29 29 b6 81 1f 9b   [.G)=s2..*))....
    0060 - 74 bb a9 9a 6f 3a 70 5d-31 7c 5b ba 6c 06 2c 59   t...o:p]1|[.l.,Y
    0070 - 14 b9 c8 af d5 3e 05 15-48 52 2e c6 0e c6 31 15   .....>..HR....1.
    0080 - 26 2e a6 5f d7 e4 09 dd-24 f7 74 ac 5e bb 00 ea   &.._....$.t.^...
    0090 - 39 d8 70 0e ba 87 99 fe-ff 9c 02 cd bf f2 d4 8b   9.p.............
    00a0 - 2a c2 90 b2                                       *...

    Start Time: 1418082857
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)




-----Original Message-----
From: Eliezer Croitoru [mailto:eliezer at ngtech.co.il] 
Sent: Monday, 8 December 2014 1:21 PM
To: squid-users at lists.squid-cache.org
Cc: Glenn Groves
Subject: Re: [squid-users] https issues for google

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK Glenn,

It's unclear on what side the SSL error is.
There are issues and the next step would be to try to run some openssl s_client test towards these hosts.
An example throw a proxy and directly can be found in the next link:
http://stackoverflow.com/questions/3220419/openssl-s-client-using-a-proxy

We will see together the results of the basic test of direct connection vs a tunneled connection from the proxy itself and understand better the issue.

Eliezer

On 12/08/2014 02:25 AM, glenn.groves at bradnams.com.au wrote:
> --Iptables is enabled, I suspect this should not be a problem there as 
> some SSL sites work. -- We do not use IPV6, I have tried disabling 
> IPV6 in Centos and leaving as is, no difference there.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUhRkdAAoJENxnfXtQ8ZQUcgoIAIee9Ce5JCNYRt+zIZXdrtEE
OzHA9YO1xucI5/xEJlPXvV0x5O4g75HINOyE+K/KII+z/T92Lvfoa4rYmo4D7jxf
0fqjwfP9D3D2Xb58lhlhfdoXD69L36orVKROahCt/xVx5b+lOlQ2NJI3NXDG2GnX
UG7nJENWeKW+u2AY9934ydP223cd08q471tmXCZba6bUGCWdC3/IFS7w2XVwbTsU
ffiv7dZc1V4q45XgHpeGbqhUKZpFlyJ2zxpqYbW9y+OKpNgfGnn/4GqAheCqeDco
t+VE21aiJux0xy7uWVnNj7VVsn3cV3EUBei3UiHZ0AKCoGsRERCt8c2OOmJgcvM=
=5R6z
-----END PGP SIGNATURE-----
 
This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify the Bradnam Group Helpdesk at helpdesk at bradnams.com.au 

Any information, statements or opinions contained in this message (including any attachments) are given by the author. They are not given on behalf of the Bradnam Group unless subsequently confirmed by an individual other than the author who is duly authorised to represent the Bradnam Group (or any of its subsidiary and associate companies).

All sent and received email from/to the Bradnam Group (or any of its subsidiary and associate companies) is automatically scanned for the presence of computer viruses, security issues and inappropriate content.

For further information on the services which the Bradnam Group provides visit our web 
site(s) at www.bradnams.com.au or www.nationalglass.com.au

More information about the squid-users mailing list