[squid-users] Skype Issues

Yuri yvoinov at gmail.com
Mon Jun 27 14:29:46 UTC 2016 

Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not 
supported everywhere, RC4/3DES is SSLv3 ciphers, so it can be confuse 
software. I.e., you use custom ciphers/protocols combinations, which can 
lead issue.


27.06.2016 20:25, Renato Jop пишет:
> Thank you both for your valuable help.
> I've configured the tls-dh param with a strong Diffie-Hellman group 
> (2048 bits) and configured the cipher as Yuri specified and I was able 
> to get pass the unknown cipher, however now I get a "SSL 
> routines:SSL3_GET_RECORD:wrong version number". Here's the 
> configuration I changed:
>  cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS 
> dhparams=/etc/dh-parameters.2048 
> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE 
> tls-dh=/usr/local/etc/squid/dhparams.pem
>
>
>
> Renato Jop
>
> On Sat, Jun 25, 2016 at 11:34 AM, Yuri Voinov <yvoinov at gmail.com 
> <mailto:yvoinov at gmail.com>> wrote:
>
>
>     -----BEGIN PGP SIGNED MESSAGE-----
>     Hash: SHA256
>
>
>
>     25.06.2016 <tel:25.06.2016> 23:09, Amos Jeffries пишет:
>     > On 26/06/2016 4:32 a.m., Yuri Voinov wrote:
>     >>
>     >> Amos, you are a wrong.
>     >>
>     >> No Squid-4. It's unstable and not ready for production.
>     Whenever it's
>     >> features.
>     >
>     > So some beta software has bugs therefore nobody should ever use
>     it for
>     > anything. I find that to be a strange and sad view of the world.
>     >
>     > Care to guess why I listed it as the last option amongst several?
>     >  Or why 4.0.11 exists as a beta still?
>     > It *is* an option for the mentioned problem(s) though whatever its
>     utility.
>     Agreed.
>     >
>     >
>     >
>     >>
>     >> Some time ago I have the same issue and know what happens exactly.
>     >>
>     >> Skype initial connection site uses RC4 cipher. Which is
>     disabled in most
>     >> squid's configuration.
>     >
>     > Your "know what happens exactly" differs from at least two other
>     peoples
>     > debugging experiences with Skype.
>     >
>     > RC4 is on the hitlist for most of the big vendors for the past
>     year or
>     > so. IIRC there were several Windows Updates to remove it and other
>     > broken bits from a lot of things over the past year.
>     > If Skype is still using RC4 it might be part of this problem.
>     I'm sure this is problem and this problem exists. MS do nothing to
>     make
>     they sites/services more secure. BTW, MS Updates uses RC4 ciphers
>     itself
>     this time. With strong siphers there is no way to setup WU via Squid.
>     I've spent much time to identify this problem in my setup and find
>     working workaround.
>
>     Another part of problem is: MS often uses it's own self-signed roots,
>     which is exists in Windows, but nowhere else. And which has not
>     cross-signed by well-known root CA's. They think it make MS services
>     more secure. They wrong. But we can't do anything with it. So, this is
>     forced us to add self-signed MS roots to our Squid's CA bundles to
>     bump/splice.
>     >
>     >
>     >>
>     >> To make it works (as by as most M$ update sites) it's require
>     simple use
>     >> this cipher's suite:
>     >>
>     >> HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>     >>
>     >> That works for me in 5 SSL bumped setups. There is no matter
>     which squid
>     >> version installed.
>     >
>     > Thank you. Thats another option then. I'd rate that below trying
>     the EC
>     > ciphers, and above library updates.
>     You are welcome.
>
>     Just for information: MS has own IT infrastructure, with some strange
>     configured and non well-managed elements. I can't guarantee this
>     workaround will work everywhere or for every MS service.
>
>     When I made my research, I've seen some strange security TLS
>     combinations on MS sites/services. I.e., for example,
>     RC4+ECDSA+TLSv1.2.
>     Or, for example, RC4+MD5+TLSv1. And some similar. Very idiotic and
>     potentially dangerous combinations. And - they support ignores all
>     requests. As usual.
>
>     To my regret, I can not order all of its users to abandon the use of
>     Windows. So far, in my infrastructure have machines with Windows XP.
>
>     With this nothing can be done, it is necessary only to weaken the
>     security - for the sake of compatibility.
>     >
>     >
>     > Amos
>     > _______________________________________________
>     > squid-users mailing list
>     > squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     > http://lists.squid-cache.org/listinfo/squid-users
>
>     -----BEGIN PGP SIGNATURE-----
>     Version: GnuPG v2
>
>     iQEcBAEBCAAGBQJXbsC5AAoJENNXIZxhPexGiFoH/jrtimBNppF1uHpVTNwOO10z
>     yF2APMA56S8woNZzhUNjT8+oJFPrthnMoQFrqgicjS77SBAFp9KcOV+SxOKl9+sW
>     OdAHDPuCD7dGnKzAdFDR1YR7Vp5IpElP1rFO5rqKXeBc3iKjq65BfF+T6atHy6cS
>     0VAaluvqvHQps2wVKoYxGURDf3Y2K0lJn+qF+s2CaBwEufhzgKSvG0aUIDqTfHfK
>     3EMQTpPtlTqm+pcexR+oZM1WE1hlES1khOXs51fgo6puPryqWJiHGvO4EBEfWoXF
>     Skval2COzcdzMvC5jjfGbMEPNGNJrYUeq/KNgppRvE2wQJ+gCLYG317decKHty0=
>     =8BTp
>     -----END PGP SIGNATURE-----
>
>
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     http://lists.squid-cache.org/listinfo/squid-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160627/273f98f6/attachment-0001.html>

More information about the squid-users mailing list