[squid-users] Skype Issues

Mon Jun 27 15:36:38 UTC 2016

Is there a way to verify that the SSL library doesn't support SSLv3?

Renato Jop

On Mon, Jun 27, 2016 at 8:43 AM, Yuri <yvoinov at gmail.com> wrote:

> Looks like your SSL library does not contain SSLv3 protocol support
> already, but site announce it.
>
> 27.06.2016 20:42, Renato Jop пишет:
>
> I removed the NO_SSLv2, NO_SSLv3 however, right before the SSL3_GET_
> RECORD:wrong version number the SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown.
>
> Renato Jop
>
> On Mon, Jun 27, 2016 at 8:29 AM, Yuri <yvoinov at gmail.com> wrote:
>
>> Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not supported
>> everywhere, RC4/3DES is SSLv3 ciphers, so it can be confuse software. I.e.,
>> you use custom ciphers/protocols combinations, which can lead issue.
>>
>> 27.06.2016 20:25, Renato Jop пишет:
>>
>> Thank you both for your valuable help.
>> I've configured the tls-dh param with a strong Diffie-Hellman group (2048
>> bits) and configured the cipher as Yuri specified and I was able to get
>> pass the unknown cipher, however now I get a "SSL routines:SSL3_GET_
>> RECORD:wrong version number". Here's the configuration I changed:
>>  cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>> dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>> tls-dh=/usr/local/etc/squid/dhparams.pem
>>
>>
>>
>> Renato Jop
>>
>> On Sat, Jun 25, 2016 at 11:34 AM, Yuri Voinov < <yvoinov at gmail.com>
>> yvoinov at gmail.com> wrote:
>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>>
>>>
>>> 25.06.2016 23:09, Amos Jeffries пишет:
>>> > On 26/06/2016 4:32 a.m., Yuri Voinov wrote:
>>> >>
>>> >> Amos, you are a wrong.
>>> >>
>>> >> No Squid-4. It's unstable and not ready for production. Whenever it's
>>> >> features.
>>> >
>>> > So some beta software has bugs therefore nobody should ever use it for
>>> > anything. I find that to be a strange and sad view of the world.
>>> >
>>> > Care to guess why I listed it as the last option amongst several?
>>> >  Or why 4.0.11 exists as a beta still?
>>> > It *is* an option for the mentioned problem(s) though whatever its
>>> utility.
>>> Agreed.
>>> >
>>> >
>>> >
>>> >>
>>> >> Some time ago I have the same issue and know what happens exactly.
>>> >>
>>> >> Skype initial connection site uses RC4 cipher. Which is disabled in
>>> most
>>> >> squid's configuration.
>>> >
>>> > Your "know what happens exactly" differs from at least two other
>>> peoples
>>> > debugging experiences with Skype.
>>> >
>>> > RC4 is on the hitlist for most of the big vendors for the past year or
>>> > so. IIRC there were several Windows Updates to remove it and other
>>> > broken bits from a lot of things over the past year.
>>> > If Skype is still using RC4 it might be part of this problem.
>>> I'm sure this is problem and this problem exists. MS do nothing to make
>>> they sites/services more secure. BTW, MS Updates uses RC4 ciphers itself
>>> this time. With strong siphers there is no way to setup WU via Squid.
>>> I've spent much time to identify this problem in my setup and find
>>> working workaround.
>>>
>>> Another part of problem is: MS often uses it's own self-signed roots,
>>> which is exists in Windows, but nowhere else. And which has not
>>> cross-signed by well-known root CA's. They think it make MS services
>>> more secure. They wrong. But we can't do anything with it. So, this is
>>> forced us to add self-signed MS roots to our Squid's CA bundles to
>>> bump/splice.
>>> >
>>> >
>>> >>
>>> >> To make it works (as by as most M$ update sites) it's require simple
>>> use
>>> >> this cipher's suite:
>>> >>
>>> >> HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>>> >>
>>> >> That works for me in 5 SSL bumped setups. There is no matter which
>>> squid
>>> >> version installed.
>>> >
>>> > Thank you. Thats another option then. I'd rate that below trying the EC
>>> > ciphers, and above library updates.
>>> You are welcome.
>>>
>>> Just for information: MS has own IT infrastructure, with some strange
>>> configured and non well-managed elements. I can't guarantee this
>>> workaround will work everywhere or for every MS service.
>>>
>>> When I made my research, I've seen some strange security TLS
>>> combinations on MS sites/services. I.e., for example, RC4+ECDSA+TLSv1.2.
>>> Or, for example, RC4+MD5+TLSv1. And some similar. Very idiotic and
>>> potentially dangerous combinations. And - they support ignores all
>>> requests. As usual.
>>>
>>> To my regret, I can not order all of its users to abandon the use of
>>> Windows. So far, in my infrastructure have machines with Windows XP.
>>>
>>> With this nothing can be done, it is necessary only to weaken the
>>> security - for the sake of compatibility.
>>> >
>>> >
>>> > Amos
>>> > _______________________________________________
>>> > squid-users mailing list
>>> > squid-users at lists.squid-cache.org
>>> > http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2
>>>
>>> iQEcBAEBCAAGBQJXbsC5AAoJENNXIZxhPexGiFoH/jrtimBNppF1uHpVTNwOO10z
>>> yF2APMA56S8woNZzhUNjT8+oJFPrthnMoQFrqgicjS77SBAFp9KcOV+SxOKl9+sW
>>> OdAHDPuCD7dGnKzAdFDR1YR7Vp5IpElP1rFO5rqKXeBc3iKjq65BfF+T6atHy6cS
>>> 0VAaluvqvHQps2wVKoYxGURDf3Y2K0lJn+qF+s2CaBwEufhzgKSvG0aUIDqTfHfK
>>> 3EMQTpPtlTqm+pcexR+oZM1WE1hlES1khOXs51fgo6puPryqWJiHGvO4EBEfWoXF
>>> Skval2COzcdzMvC5jjfGbMEPNGNJrYUeq/KNgppRvE2wQJ+gCLYG317decKHty0=
>>> =8BTp
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160627/78c06b3e/attachment.html>