[squid-users] Skype Issues
Renato Jop
renjop at gmail.com
Sat Jun 25 13:19:53 UTC 2016
Hello,
I've configured squid to filter both HTTP and HTTPS traffic and for the
most part the squid server is working correctly, however, I am always
unable to login with skype. Skype does send all the requests through the
suid server, but looking into the cache.log I always get a Error
negotiating SSL connection on FD 12: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher.
If I run: openssl s_client -crlf -connect 157.55.56.164:443 I get exactly
the same error. However if I run: openssl s_client -crlf -connect
157.55.56.164:443 -tls1_2 -ssl2 I am able to connect.
If I disable HTTPS, skype logins with no problems.
I've searched on the mailing list archive and found that other people have
had the same issues but none have been able to fix them. Is this a known
issue with squid? Any help would be greatly appreciated.
My openssl version is: OpenSSL 1.0.1s-freebsd 1 Mar 2016 and my squid
version is: Squid Cache: Version 3.5.19 configured with:
'--with-default-user=squid' '--bindir=/usr/local/sbin'
'--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid'
'--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var'
'--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache'
'--without-gnutls' '--enable-auth' '--enable-build-info'
'--enable-loadable-modules' '--enable-removal-policies=lru heap'
'--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy'
'--disable-translation' '--disable-arch-native' '--enable-eui'
'--enable-cache-digests' '--enable-delay-pools' '--disable-ecap'
'--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp'
'--enable-icap-client' '--enable-icmp' '--enable-ident-lookups'
'--enable-ipv6' '--enable-kqueue' '--with-large-files'
'--enable-http-violations' '--without-nettle' '--enable-snmp'
'--enable-ssl' '--with-openssl=/usr' 'LIBOPENSSL_CFLAGS=-I/usr/include'
'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd'
'--disable-stacktraces' '--disable-ipf-transparent'
'--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf'
'--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2'
'--with-mit-krb5=/usr/local' 'CFLAGS=-I/usr/local/include -O2 -pipe
-I/usr/local/include -I/usr/local/include -fstack-protector
-DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS=-L/usr/local/lib -pthread
-L/usr/local/lib -L/usr/local/lib -Wl,-rpath,/usr/local/lib:/usr/lib
-fstack-protector' 'LIBS=-lkrb5 -lgssapi_krb5 '
'KRB5CONFIG=/usr/local/bin/krb5-config' '--enable-auth-basic=LDAP SASL DB
SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS'
'--enable-auth-digest=file' '--enable-external-acl-helpers=LDAP_group
file_userip time_quota unix_group kerberos_ldap_group'
'--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm'
'--enable-storeio=aufs diskd ufs' '--enable-disk-io=DiskThreads DiskDaemon
AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file'
'--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file'
'--prefix=/usr/local' '--mandir=/usr/local/man'
'--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.3'
'build_alias=amd64-portbld-freebsd10.3' 'CC=cc'
'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe
-I/usr/local/include -I/usr/local/include -fstack-protector
-DLDAP_DEPRECATED -fno-strict-aliasing ' 'CPP=cpp' --enable-ltdl-convenience
My current configuration is as follows:
http_port 175.15.2.239:8080 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=100MB cert=/usr/local/etc/squid/serverkey.pem
capath=/usr/local/share/certs/
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
http_port 127.0.0.1:8080 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=100MB cert=/usr/local/etc/squid/serverkey.pem
capath=/usr/local/share/certs/
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=100MB cert=/usr/local/etc/squid/serverkey.pem
capath=/usr/local/share/certs/
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
icp_port 0
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname hidden
cache_mgr admin at localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable off
pinger_program /usr/local/libexec/squid/pinger
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db
-M 4MB -b 2048
sslcrtd_children 50
sslproxy_capath /usr/local/share/certs/
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_cert_error allow all
#SKYPE according to: http://wiki.squid-cache.org/ConfigExamples/Chat/Skype
acl numeric_IPs dstdom_regex
^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443
acl Skype_UA browser ^skype
http_access allow CONNECT localnet numeric_IPS Skype_UA
#END SKYPE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160625/be611b39/attachment.html>
More information about the squid-users
mailing list