[squid-users] Skype Issues

Renato Jop renjop at gmail.com
Wed Jun 29 16:58:46 UTC 2016 

I've installed squid4 and the problems still persists. I've added the
following acl:
# define what Squid errors indicate receiving non-HTTP traffic:
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
# define what Squid errors indicate receiving nothing:
acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
# tunnel everything that does not look like HTTP:
on_unsupported_protocol tunnel foreignProtocol
# tunnel if we think the client waits for the server to talk first:
on_unsupported_protocol tunnel serverTalksFirstProtocol
# in all other error cases, just send an HTTP "error page" response:
on_unsupported_protocol respond all

Renato Jop

On Wed, Jun 29, 2016 at 8:21 AM, Renato Jop <renjop at gmail.com> wrote:

> I've installed LibreSSL 2.2.9 and the issue still persists.
> I think I am going to have install squid4 even if it's still in beta to
> solve this issues.
> Thanks for your help.
>
>
> Renato Jop
>
> On Mon, Jun 27, 2016 at 9:36 AM, Renato Jop <renjop at gmail.com> wrote:
>
>> Is there a way to verify that the SSL library doesn't support SSLv3?
>>
>> Renato Jop
>>
>> On Mon, Jun 27, 2016 at 8:43 AM, Yuri <yvoinov at gmail.com> wrote:
>>
>>> Looks like your SSL library does not contain SSLv3 protocol support
>>> already, but site announce it.
>>>
>>> 27.06.2016 20:42, Renato Jop пишет:
>>>
>>> I removed the NO_SSLv2, NO_SSLv3 however, right before the SSL3_GET_
>>> RECORD:wrong version number the SSL
>>> routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown.
>>>
>>> Renato Jop
>>>
>>> On Mon, Jun 27, 2016 at 8:29 AM, Yuri <yvoinov at gmail.com> wrote:
>>>
>>>> Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not
>>>> supported everywhere, RC4/3DES is SSLv3 ciphers, so it can be confuse
>>>> software. I.e., you use custom ciphers/protocols combinations, which can
>>>> lead issue.
>>>>
>>>> 27.06.2016 20:25, Renato Jop пишет:
>>>>
>>>> Thank you both for your valuable help.
>>>> I've configured the tls-dh param with a strong Diffie-Hellman group
>>>> (2048 bits) and configured the cipher as Yuri specified and I was able to
>>>> get pass the unknown cipher, however now I get a "SSL routines:SSL3_GET_
>>>> RECORD:wrong version number". Here's the configuration I changed:
>>>>  cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>>>> dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>>>> tls-dh=/usr/local/etc/squid/dhparams.pem
>>>>
>>>>
>>>>
>>>> Renato Jop
>>>>
>>>> On Sat, Jun 25, 2016 at 11:34 AM, Yuri Voinov < <yvoinov at gmail.com>
>>>> yvoinov at gmail.com> wrote:
>>>>
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA256
>>>>>
>>>>>
>>>>>
>>>>> 25.06.2016 23:09, Amos Jeffries пишет:
>>>>> > On 26/06/2016 4:32 a.m., Yuri Voinov wrote:
>>>>> >>
>>>>> >> Amos, you are a wrong.
>>>>> >>
>>>>> >> No Squid-4. It's unstable and not ready for production. Whenever
>>>>> it's
>>>>> >> features.
>>>>> >
>>>>> > So some beta software has bugs therefore nobody should ever use it
>>>>> for
>>>>> > anything. I find that to be a strange and sad view of the world.
>>>>> >
>>>>> > Care to guess why I listed it as the last option amongst several?
>>>>> >  Or why 4.0.11 exists as a beta still?
>>>>> > It *is* an option for the mentioned problem(s) though whatever its
>>>>> utility.
>>>>> Agreed.
>>>>> >
>>>>> >
>>>>> >
>>>>> >>
>>>>> >> Some time ago I have the same issue and know what happens exactly.
>>>>> >>
>>>>> >> Skype initial connection site uses RC4 cipher. Which is disabled in
>>>>> most
>>>>> >> squid's configuration.
>>>>> >
>>>>> > Your "know what happens exactly" differs from at least two other
>>>>> peoples
>>>>> > debugging experiences with Skype.
>>>>> >
>>>>> > RC4 is on the hitlist for most of the big vendors for the past year
>>>>> or
>>>>> > so. IIRC there were several Windows Updates to remove it and other
>>>>> > broken bits from a lot of things over the past year.
>>>>> > If Skype is still using RC4 it might be part of this problem.
>>>>> I'm sure this is problem and this problem exists. MS do nothing to make
>>>>> they sites/services more secure. BTW, MS Updates uses RC4 ciphers
>>>>> itself
>>>>> this time. With strong siphers there is no way to setup WU via Squid.
>>>>> I've spent much time to identify this problem in my setup and find
>>>>> working workaround.
>>>>>
>>>>> Another part of problem is: MS often uses it's own self-signed roots,
>>>>> which is exists in Windows, but nowhere else. And which has not
>>>>> cross-signed by well-known root CA's. They think it make MS services
>>>>> more secure. They wrong. But we can't do anything with it. So, this is
>>>>> forced us to add self-signed MS roots to our Squid's CA bundles to
>>>>> bump/splice.
>>>>> >
>>>>> >
>>>>> >>
>>>>> >> To make it works (as by as most M$ update sites) it's require
>>>>> simple use
>>>>> >> this cipher's suite:
>>>>> >>
>>>>> >> HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>>>>> >>
>>>>> >> That works for me in 5 SSL bumped setups. There is no matter which
>>>>> squid
>>>>> >> version installed.
>>>>> >
>>>>> > Thank you. Thats another option then. I'd rate that below trying the
>>>>> EC
>>>>> > ciphers, and above library updates.
>>>>> You are welcome.
>>>>>
>>>>> Just for information: MS has own IT infrastructure, with some strange
>>>>> configured and non well-managed elements. I can't guarantee this
>>>>> workaround will work everywhere or for every MS service.
>>>>>
>>>>> When I made my research, I've seen some strange security TLS
>>>>> combinations on MS sites/services. I.e., for example,
>>>>> RC4+ECDSA+TLSv1.2.
>>>>> Or, for example, RC4+MD5+TLSv1. And some similar. Very idiotic and
>>>>> potentially dangerous combinations. And - they support ignores all
>>>>> requests. As usual.
>>>>>
>>>>> To my regret, I can not order all of its users to abandon the use of
>>>>> Windows. So far, in my infrastructure have machines with Windows XP.
>>>>>
>>>>> With this nothing can be done, it is necessary only to weaken the
>>>>> security - for the sake of compatibility.
>>>>> >
>>>>> >
>>>>> > Amos
>>>>> > _______________________________________________
>>>>> > squid-users mailing list
>>>>> > squid-users at lists.squid-cache.org
>>>>> > http://lists.squid-cache.org/listinfo/squid-users
>>>>>
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v2
>>>>>
>>>>> iQEcBAEBCAAGBQJXbsC5AAoJENNXIZxhPexGiFoH/jrtimBNppF1uHpVTNwOO10z
>>>>> yF2APMA56S8woNZzhUNjT8+oJFPrthnMoQFrqgicjS77SBAFp9KcOV+SxOKl9+sW
>>>>> OdAHDPuCD7dGnKzAdFDR1YR7Vp5IpElP1rFO5rqKXeBc3iKjq65BfF+T6atHy6cS
>>>>> 0VAaluvqvHQps2wVKoYxGURDf3Y2K0lJn+qF+s2CaBwEufhzgKSvG0aUIDqTfHfK
>>>>> 3EMQTpPtlTqm+pcexR+oZM1WE1hlES1khOXs51fgo6puPryqWJiHGvO4EBEfWoXF
>>>>> Skval2COzcdzMvC5jjfGbMEPNGNJrYUeq/KNgppRvE2wQJ+gCLYG317decKHty0=
>>>>> =8BTp
>>>>> -----END PGP SIGNATURE-----
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> squid-users mailing list
>>>>> squid-users at lists.squid-cache.org
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160629/f89f1252/attachment.html>

More information about the squid-users mailing list